Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

GitHub Actions

This page shows the recommended non-interactive setup for GitHub Actions using the cloudexit action wrapper.

AWS - Static Auth

name: cloudexit-aws-static
on:
  workflow_dispatch:

jobs:
  run:
    runs-on: ubuntu-latest
    steps:
      - name: Run cloudexit
        id: run_cloudexit
        uses: escapecloud/cloudexit-actions@v1
        with:
          provider: aws
          auth-mode: static
          exit-strategy: "1"
          assessment-type: "1"
          host: ""
          key: ""
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: ${{ vars.AWS_DEFAULT_REGION }}

AWS - OIDC Auth

name: cloudexit-aws-oidc
on:
  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:
  run:
    runs-on: ubuntu-latest
    steps:
      - name: Configure AWS credentials (OIDC)
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          aws-region: ${{ vars.AWS_DEFAULT_REGION }}

      - name: Run cloudexit
        id: run_cloudexit
        uses: escapecloud/cloudexit-actions@v1
        with:
          provider: aws
          auth-mode: oidc
          exit-strategy: "1"
          assessment-type: "1"
          host: ""
          key: ""
        env:
          AWS_DEFAULT_REGION: ${{ vars.AWS_DEFAULT_REGION }}

Azure - Static Auth

name: cloudexit-azure-static
on:
  workflow_dispatch:

jobs:
  run:
    runs-on: ubuntu-latest
    steps:
      - name: Run cloudexit
        id: run_cloudexit
        uses: escapecloud/cloudexit-actions@v1
        with:
          provider: azure
          auth-mode: static
          exit-strategy: "1"
          assessment-type: "1"
          host: ""
          key: ""
        env:
          ESC_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          ESC_RESOURCE_GROUP: ${{ secrets.AZURE_RESOURCE_GROUP }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}

Azure - OIDC Auth

name: cloudexit-azure-oidc
on:
  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:
  run:
    runs-on: ubuntu-latest
    steps:
      - name: Azure login (OIDC)
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID_OIDC }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Create federated token file for Docker action
        shell: bash
        run: |
          OIDC_TOKEN="$(curl -sS \
            -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://AzureADTokenExchange" \
            | jq -r '.value')"

          TOKEN_FILE="${RUNNER_TEMP}/azure_federated_token"
          printf '%s' "${OIDC_TOKEN}" > "${TOKEN_FILE}"

          echo "AZURE_FEDERATED_TOKEN_FILE=${TOKEN_FILE}" >> "${GITHUB_ENV}"

      - name: Run cloudexit
        id: run_cloudexit
        uses: escapecloud/cloudexit-actions@v1
        with:
          provider: azure
          auth-mode: oidc
          exit-strategy: "1"
          assessment-type: "1"
          host: ""
          key: ""
        env:
          ESC_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          ESC_RESOURCE_GROUP: ${{ secrets.AZURE_RESOURCE_GROUP }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_OIDC }}
          AZURE_FEDERATED_TOKEN_FILE: ${{ env.AZURE_FEDERATED_TOKEN_FILE }}