Release with a Pipeline: Continuous Delivery to AWS with GitHub Actions

Architecture Overview

The workflow is triggered when a developer pushes code to the main branch of a GitHub repository.

A git push to the main branch triggers the GitHub Actions workflow.
The workflow uses a secure OpenID Connect (OIDC) connection to assume an IAM Role in AWS, avoiding the need for long-lived access keys.
A job within the workflow checks out the code, builds the application (if necessary), and deploys the resulting files.
The deployment step syncs the static files to an Amazon S3 bucket configured for website hosting.
(Optional) The final step invalidates the Amazon CloudFront cache to ensure users see the latest version of the site immediately.

Step 1: Configure the AWS IAM Role for GitHub Actions (OIDC)

Using OIDC is the most secure way to grant GitHub Actions access to your AWS account.

Create the OIDC Identity Provider in IAM:
- Navigate to the IAM console -> Identity providers.
- Click Add provider.
- Select OpenID Connect.
- For Provider URL, enter https://token.actions.githubusercontent.com.
- For Audience, enter sts.amazonaws.com.
- Click Get thumbprint and then Add provider.

Create the IAM Role:

Navigate to IAM -> Roles and click Create role.
For Trusted entity type, select Custom trust policy.
Paste the following JSON policy. Replace YOUR_GITHUB_USERNAME and YOUR_GITHUB_REPO_NAME with your repository details.


{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Principal": {

                "Federated": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com"

            },

            "Action": "sts:AssumeRoleWithWebIdentity",

            "Condition": {

                "StringEquals": {

                    "token.actions.githubusercontent.com:sub": "repo:YOUR_GITHUB_USERNAME/YOUR_GITHUB_REPO_NAME:ref:refs/heads/main"

                }

            }

        }

    ]

}

Click Next.

Add Permissions to the Role:

Create a new permissions policy to allow deploying to S3 and invalidating CloudFront.
Click Create policy, select the JSON tab, and paste the following. Replace YOUR_S3_BUCKET_NAME and YOUR_CLOUDFRONT_DISTRIBUTION_ID.


{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "S3DeployAccess",

            "Effect": "Allow",

            "Action": [

                "s3:PutObject",

                "s3:ListBucket",

                "s3:DeleteObject"

            ],

            "Resource": [

                "arn:aws:s3:::YOUR_S3_BUCKET_NAME",

                "arn:aws:s3:::YOUR_S3_BUCKET_NAME/*"

            ]

        },

        {

            "Sid": "CloudFrontInvalidationAccess",

            "Effect": "Allow",

            "Action": "cloudfront:CreateInvalidation",

            "Resource": "arn:aws:cloudfront::YOUR_AWS_ACCOUNT_ID:distribution/YOUR_CLOUDFRONT_DISTRIBUTION_ID"

        }

    ]

}

Save this policy, then attach it to the role you are creating.
Finish creating the role and make a note of its ARN.

Step 2: Create the GitHub Actions Workflow File

In your GitHub repository, create a directory .github/workflows/ and add a YAML file inside it named deploy-to-aws.yml.


name: Deploy Website to AWS S3



# Trigger the workflow on push events to the main branch

on:

  push:

    branches:

      - main

  # Allows you to run this workflow manually from the Actions tab

  workflow_dispatch:



# Grant the workflow permissions to get an OIDC token from GitHub

permissions:

  id-token: write

  contents: read



jobs:

  deploy:

    name: Build and Deploy

    runs-on: ubuntu-latest



    steps:

      # Step 1: Check out the repository's code

      - name: Checkout code

        uses: actions/checkout@v4



      # Step 2: Configure AWS credentials using OIDC

      # Replace the role-to-assume with the ARN of the IAM role you created

      - name: Configure AWS Credentials

        uses: aws-actions/configure-aws-credentials@v4

        with:

          role-to-assume: arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/YOUR_IAM_ROLE_NAME

          aws-region: us-east-1 # Or your desired AWS region



      # Step 3: (Optional) Install dependencies and build your application

      # This example is for a Node.js project. Adapt for your needs.

      - name: Install dependencies

        run: npm install

      - name: Build application

        run: npm run build



      # Step 4: Deploy static files to S3

      # Replace YOUR_S3_BUCKET_NAME. The build/ directory is standard for create-react-app.

      - name: Deploy to S3

        run: |

          aws s3 sync ./build s3://YOUR_S3_BUCKET_NAME --delete



      # Step 5: (Optional) Invalidate CloudFront cache

      # Replace YOUR_CLOUDFRONT_DISTRIBUTION_ID

      - name: Invalidate CloudFront

        run: |

          aws cloudfront create-invalidation --distribution-id YOUR_CLOUDFRONT_DISTRIBUTION_ID --paths "/*"

Important: Replace all placeholder values (YOUR_...) with your actual resource names and IDs.

Step 3: Commit and Push to Trigger the Workflow

Commit the deploy-to-aws.yml file to your local repository.

Push the changes to the main branch on GitHub.


git add .github/workflows/deploy-to-aws.yml

git commit -m "Add GitHub Actions workflow for AWS deployment"

git push origin main

Step 4: Monitor the Workflow and Verify Deployment

In your GitHub repository, click on the Actions tab.
You will see your "Deploy Website to AWS S3" workflow running. Click on it to see the live logs for each step.
If the workflow completes successfully, all steps will have a green checkmark.
Navigate to your S3 bucket's website endpoint or your CloudFront domain name. You should see your newly deployed application.