TopicTrick Logo
Topictrick
DevOpsGitHub

Deploying to AWS, Azure, and GCP with GitHub Actions

TT
TopicTrick Team
Deploying to AWS, Azure, and GCP with GitHub Actions
← Back to GitHub Mastery

Deploying to AWS, Azure, and GCP with GitHub Actions

Manually building and uploading code to cloud environments is error-prone and insecure. GitHub Actions provides official, well-maintained integrations for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). By leveraging OpenID Connect (OIDC), you can securely authenticate your CI/CD pipelines without ever storing long-lived, dangerous cloud credentials inside your GitHub repository.

Table of Contents

The Security Problem: Long-Lived Credentials

Historically, to deploy to AWS from GitHub, you would:

  1. Create an IAM User in AWS.
  2. Generate an Access Key ID and Secret Access Key.
  3. Paste these keys into GitHub Secrets.

This is a massive security risk. If your GitHub account is compromised, those keys can be stolen. Worse, those keys never expire. If an attacker gets them, they have permanent access to your cloud account until you manually rotate them.

A Better Way: OpenID Connect (OIDC)

Today, the industry standard is OIDC. With OIDC, GitHub and your cloud provider establish a trust relationship. When a workflow starts, GitHub issues a short-lived token that tells the cloud provider: "This runner is definitely authorized by Repository X to perform Action Y."

Since these tokens last for only a few minutes, there is no long-lived secret to steal.

Deploying to AWS

AWS provides a specialized action to handle OIDC and assuming IAM roles.

yaml


This workflow assumes a specific IAM role with just enough permissions to upload to S3. No static passwords required!




Deploying to Microsoft Azure


Since Microsoft owns both GitHub and Azure, the integration is particularly seamless.


Azure uses Service Principals or Workload Identity Federation (their version of OIDC).


yaml




Deploying to Google Cloud (GCP)


Google Cloud uses Workload Identity Federation to securely connect GitHub Actions.


yaml




Frequently Asked Questions


Which cloud is easiest for GitHub Actions?
Azure generally has the tightest integration because of their shared parent company (Microsoft). However, the AWS community-built actions are exceptionally robust and widely documented.


What if I'm not using a major cloud provider?
If you are using a smaller provider like DigitalOcean, Linode, or Vultr, you will typically use a standard SSH Action and rsync files manually. While it works, it is much less automated than the official integrations.




Key Takeaway


Automating your cloud deployments is the final step in your CI/CD journey. By centralizing your infrastructure logic in GitHub Actions and using OIDC for passwordless, short-lived authentication, you create a delivery pipeline that is both incredibly fast and built on the highest security standards in the industry.


Read next: Protecting Production with GitHub Environments and Approval Rules →