AWSTemplateFormatVersion: "2010-09-09" Description: "IAM Role for GHA" Parameters: RepoName: Type: String Default: korosuke613/playground Resources: Role: Type: AWS::IAM::Role Properties: RoleName: GitHub AssumeRolePolicyDocument: Statement: - Effect: Allow Action: sts:AssumeRoleWithWebIdentity Principal: Federated: !Ref GithubOidc Condition: StringLike: vstoken.actions.githubusercontent.com:sub: !Sub repo:${RepoName}:* Policy: Type: AWS::IAM::Policy Properties: PolicyName: GitHubActions Roles: - !Ref Role PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - 'sts:GetCallerIdentity' Resource: '*' GithubOidc: Type: AWS::IAM::OIDCProvider Properties: Url: https://vstoken.actions.githubusercontent.com ClientIdList: - !Sub https://github.com/${RepoName} ThumbprintList: [a031c46782e6e6c662c2c87c76da9aa62ccabd8e] Outputs: Role: Value: !GetAtt Role.Arn