search

Adding Roles

hashtag
Prerequisites

Ensure SAML.to is installed to your GitHub Organization or User Account

hashtag
Add or Update an IAM Role

chevron-rightCreate a new rolehashtag

  1. Navigate to AWS IAM Rolesarrow-up-right

  2. Click Create Role

    1. Trusted entity type: SAML 2.0 federation

    2. SAML 2.0-based provider: Choose the provider.

      1. If SAML.to isn't in the list, add SAML.to to the AWS account first.

    3. Allow programmatic and AWS Management Console access

    4. Attribute: SAML:aud

    5. Value: https://signin.aws.amazon.com/saml

  3. Continue the remaining steps to create the role

  4. Copy the Role ARN

chevron-rightUse an existing rolehashtag

  1. Copy the Provider ARN of SAML.to from AWS IAM Providersarrow-up-right

    1. If SAML.to isn't in the list, add SAML.to to the AWS account first.

  2. Choose a role in AWS IAM Rolesarrow-up-right

  3. Click the Trust Relationships tab

  4. Click Edit trust policy

  5. Add a Statement, update the policy, and make note of the Provider ARN

{
  "Effect": "Allow",
  "Principal": {
      "Federated": "THE_PROVIDER_ARN"
  },
  "Action": "sts:AssumeRoleWithSAML",
  "Condition": {
      "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
      }
  }
}

hashtag
Update saml-to.yml

Add the following the following block to permissions.aws.roles to saml-to.yml:

      - name: THE-ROLE-ARN
        provider:
          variables:
            providerArn: THE-PROVIDER-ARN
        users:
          github:
            - some-github-user
            - another-github-user
        repos:
          github:
            - some-repo
            - another-org/some-other-repo
PreviousAdding AWS AccountsNextRoles for GitHub Actions

Last updated