Overview
Managing containerized applications efficiently is crucial for modern DevOps workflows. One of the best ways to automate Docker image deployment is by integrating GitHub Actions with AWS Elastic Container Registry (ECR).
In past post, we create Github actions pipeline and deployed image on Github registry https://ghcr.io.
Instead of using IAM access keys, we will use AWS OIDC authentication with GitHub Actions. This eliminates the risk of storing long-lived credentials and improves security by relying on short-lived session tokens.
Why Use AWS OIDC Authentication?
✅ No hardcoded secrets – Eliminates long-lived IAM access keys
✅ Enhanced security – Uses short-lived tokens for GitHub Actions
✅ Less maintenance – No need to rotate IAM credentials manually
Step 1: Create Github Repo
Create a Github repo
Step 2: Create an AWS IAM Role for GitHub OIDC
AWS provides OIDC (OpenID Connect) integration with GitHub to authenticate your GitHub Actions workflows securely.
1.1 Create an OIDC Identity Provider in AWS
- Search for IAM in AWS search bar
- Select Identity Provider from the left sidebar
- Click Add Provider
Select provider type as OpenID Connect
Provider URL as https://token.actions.githubusercontent.com
Audience as sts.amazonaws.com
It should look like as shared in the below screenshot.
Now, click on Add Provider at the bottom.
1.2 Create an IAM Role for GitHub Actions
Now, create an IAM role with OIDC trust policy for GitHub Actions.
Search for IAM service again and select Role from the sidebar.
Click to Create Role
Add policy (permissions) to this Role
Provide name to the IAM role and Click Create Role at the bottom.
📌 Note: This policy provides permissions for listing, pushing, and pulling images.
Step 3: Create ECR Repository
Search for ECR service in AWS services, select Elastic Container Registry.
Create Repository
Step 4: Add Github Action Workflow
We will use Github Action workflow to create pipeline.
Go to: GitHub Repository → Settings → Actions → General
Scroll down to Workflow permissions and select: ✅ Read and write permissions
Under Actions → Secrets and variables → Actions,
Add:
AWS_ROLE_ARN → arn:aws:iam:::role/GitHub-Actions-ECR-Role
AWS_REGION → Your AWS Region to use
AWS_ACCOUNT_ID -> Your AWS account ID
ECR_REPOSITORY -> Put ECR Repository name created in
In your repository,
Add application code. I will deploy code according to Lambda function with this pipeline in next article so i will write code for lambda_functions. Add file with the below code to your repo: lambda_function.py
#filename - lambda_function.py
import json
from flask import Flask, jsonify
app = Flask(__name__)
@app.route('/')
def home():
return """<!DOCTYPE html>
<html>
<head>
<title>AITechNav Homepage</title>
</head>
<body>
<h1>You did it!</h1>
<br> <br>
<p>This page is served from an AWS Lambda container.</p>
</body>
</html>"""
def lambda_handler(event, context):
"""AWS Lambda handler function"""
return {
"statusCode": 200,
"headers": {"Content-Type": "text/html"},
"body": home()
}
if __name__ == "__main__":
app.run(host="0.0.0.0", port=8080)
add a small file requirements.txt
flask
Step 5: Add DockerFile
Add Dockerfile in the root path of repository. This will use base image as Python 3.12, create a directory /var/task.
Then, we will copy lambda_function.py and requirements.txt files to /var/task so we can install dependencies and execute Python file to execute on Lambda function.
DockerFile will be create container image in Github Action workflow.
# Use Amazon Linux 2 Lambda base image for Python 3.12
FROM public.ecr.aws/lambda/python:3.12
# Set working directory inside the container
WORKDIR /var/task
# Copy application files
COPY lambda_function.py .
COPY requirements.txt .
# Install dependencies
RUN pip install --upgrade pip && pip install -r requirements.txt
# Set the Lambda handler
CMD ["lambda_function.lambda_handler"]
Step 5: Create a GitHub Actions Workflow
Now, create a GitHub Actions workflow file to authenticate with AWS via STS and push the Docker image to ECR.
📄 File Path: .github/workflows/deploy.yml
name: Deploy App
on:
push:
branches:
- main
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: arn:aws:iam::302263053017:role/pipeline
role-session-name: GitHubActions
aws-region: us-east-1
audience: sts.amazonaws.com
- name: Set Image Tag
run: echo "IMAGE_TAG=$(date +%Y%m%d%H%M%S)" >> $GITHUB_ENV
- name: Login to Amazon ECR
run: |
aws ecr get-login-password --region ${{ vars.AWS_REGION }} | docker login --username AWS --password-stdin ${{ vars.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com
- name: Build and Push Docker Image to ECR
run: |
docker build -t flask-app .
docker tag flask-app:latest ${{ vars.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com/${{ vars.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}
docker push ${{ vars.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com/${{ vars.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}
Step 6: Commit and Push the Workflow File
Now, commit and push the workflow file to your GitHub repository:
git add .github/workflows/deploy.yml
git commit -m "Add GitHub Actions workflow with OIDC for ECR deployment"
git push origin main
GitHub Actions will trigger the deployment without using IAM access keys.
Step 7: Verify Image in AWS ECR
To confirm that the image was successfully pushed:
Go to AWS Console → ECR → Repositories
Click on your repository (my-app)
You should see the newly pushed Docker image with the latest tag
Conclusion
By integrating GitHub Actions with AWS STS OIDC authentication, we have securely automated Docker image deployments to AWS ECR. No static IAM credentials required!
** Next Steps: **
Extend the workflow to deploy images to AWS Lambda which we will do in next article
Top comments (0)