-
Notifications
You must be signed in to change notification settings - Fork 16
Recommended AWS Configuration
This page presents the recommended AWS setup for PullPreview on Lightsail.
Prefer short-lived credentials via GitHub OIDC instead of long-lived AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY.
In your workflow:
- grant
id-token: writepermission - call
aws-actions/configure-aws-credentialswithrole-to-assume - run PullPreview after credentials are configured
Example:
permissions:
id-token: write
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v5
- name: Configure AWS credentials (OIDC)
uses: aws-actions/configure-aws-credentials@v5
with:
role-to-assume: arn:aws:iam::123456789012:role/pullpreview
aws-region: us-east-1
- uses: pullpreview/action@v6Official setup docs:
- GitHub: Configuring OpenID Connect in Amazon Web Services
- AWS IAM: Create an OpenID Connect (OIDC) identity provider
- AWS IAM: Create a role for OIDC federation
PullPreview only requires Lightsail API access, so keep the role policy limited:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lightsail:*"
],
"Resource": "*"
}
]
}Also restrict the role trust policy to your repository (and optionally branch/environment) using OIDC token conditions.
For security and billing separation, you can create a dedicated AWS account for preview environments and place the OIDC role there.
→ Procedure to create AWS sub-accounts
If your org cannot use OIDC yet, use a dedicated IAM user with a dedicated access key pair scoped to PullPreview only, and keep the same least-privilege policy.