build.allanninal.dev

Part 2 of 7 · AWS autoposting series ~3 min read

How code becomes a working system

You save your work, push to GitHub, walk away. The cloud handles the rest — and never holds a long-lived password.

Here’s the path your code takes from your laptop to a running system in AWS.

Build and deploy pipeline using GitHub Actions and OIDC A vertical flow showing how code becomes a working system. From top: Your laptop pushes code via git to a GitHub repo, which triggers GitHub Actions. GitHub Actions exchanges with AWS IAM via OIDC: it asks for a token, IAM issues a short-lived (about one hour) key. Actions then runs SAM/CloudFormation to deploy, which updates your cloud resources: Lambdas, EventBridge, DynamoDB, S3, etc. Your laptop where you write code git push GitHub repo your private repo triggers GitHub Actions runs lint & tests AWS IAM issues short-lived key OIDC ~1hr key deploys SAM / CloudFormation applies the change set updates Lambdas · EventBridge · DynamoDB · S3 · Secrets Manager
Fig 2. Push to GitHub, the cloud updates itself — with a key that expires in an hour.

The old way vs the new way

Old way. Copy files to a server, SSH in, restart things, hope nothing breaks. Store the AWS password in GitHub Secrets so the deploy script can use it — and pray it never leaks.

New way. Push to GitHub, walk away. The cloud handles the rest.

If something breaks, you undo your change and push again. The cloud rolls back too — CloudFormation reverts to the previous state automatically.

Why no passwords are stored anywhere

The most common cause of compromised AWS accounts is a long-lived access key sitting in a GitHub Secrets vault — checked in by accident, shared with the wrong person, or scraped by a bot.

There’s a better way. Instead of storing a key, GitHub Actions sends AWS a short-lived ID badge that says “I am the build job for this exact repo, on this exact branch.” AWS checks the badge and hands back temporary credentials that expire in about an hour. (The standard for this back-and-forth is called OIDC — OpenID Connect — if you want to look it up.)

Nothing to leak. Nothing to rotate. If the temporary key ever ended up somewhere it shouldn’t, it’s already expired before anyone could use it.

The trust boundary, in one line

AWS only hands out credentials when the badge says “repo: yourname/yourrepo, branch: main”. A different repo, a different branch, or a pull request from someone else’s fork — no credentials. No deploy.

What gets deployed

Everything is described in one file: template.yaml. SAM (Serverless Application Model) is a thin layer over CloudFormation that lets you describe Lambdas, schedules, queues, and tables in a few dozen lines instead of a few hundred. One sam deploy applies the entire stack: a single source of truth, no clicking around in the AWS console.

All posts