Composite GitHub Action that configures AWS credentials via OIDC and installs beplus Provisioning tools with optional plugins.
- Configures AWS credentials using OIDC (OpenID Connect) for secure, keyless authentication
- Constructs the IAM role ARN dynamically based on org, repo, and branch
- Verifies AWS identity
- Installs
@beplus/provisioningglobally - Conditionally installs provisioning plugins based on inputs (e.g.,
@beplus/provisioning-plugin-mobile)
| Input | Required | Default | Description |
|---|---|---|---|
AWS_REGION |
No | us-east-1 |
AWS region to use |
BE_AWS_ACCOUNT_ID |
Yes | - | AWS Account ID where to install beplus Provisioning |
BE_PROVISIONING_PLUGIN_MOBILE_ENABLED |
No | false |
Whether to install the Mobile plugin |
The action automatically constructs the IAM role ARN using the pattern:
arn:aws:iam::{BE_AWS_ACCOUNT_ID}:role/github-actions-{org}-{repo}-{branch}-provisioning
Example:
- Org:
bepluscloud - Repo:
monorepo - Branch:
main - Account:
123456789012
Result: arn:aws:iam::123456789012:role/github-actions-bepluscloud-monorepo-main-provisioning
- uses: beplus/setup-beplus/provisioning@v2
with:
BE_AWS_ACCOUNT_ID: ${{ vars.BE_AWS_ACCOUNT_ID }}- uses: beplus/setup-beplus/provisioning@v2
with:
BE_AWS_ACCOUNT_ID: ${{ vars.BE_AWS_ACCOUNT_ID }}
BE_PROVISIONING_PLUGIN_MOBILE_ENABLED: true- uses: beplus/setup-beplus/provisioning@v1
with:
AWS_REGION: eu-central-1
BE_AWS_ACCOUNT_ID: ${{ vars.BE_AWS_ACCOUNT_ID }}name: beplus Provisioning
on:
workflow_dispatch:
permissions:
id-token: write # Required for OIDC
contents: read
jobs:
update-provisioning:
runs-on: ubuntu-latest
environment: ${{ github.ref_name }}
steps:
- uses: actions/setup-node@v6
with:
node-version: 22.14
- uses: beplus/setup-beplus/cli@v2
env:
BE_NPM_TARGET: ${{ vars.BE_NPM_TARGET }}
BE_NPM_TOKEN: ${{ secrets.BE_NPM_TOKEN }}
with:
BE_CLI_VERSION: latest
BE_NPM_AUTH: true
- uses: beplus/setup-beplus/provisioning@v2
with:
BE_AWS_ACCOUNT_ID: ${{ vars.BE_AWS_ACCOUNT_ID }}
BE_PROVISIONING_PLUGIN_MOBILE_ENABLED: ${{ vars.BE_PROVISIONING_PLUGIN_MOBILE_ENABLED }}
- name: Run provisioning
run: beplus-provisionYour AWS account must have an OIDC identity provider configured for GitHub Actions. See AWS documentation.
Create an IAM role with the following:
Trust Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::{ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:{ORG}/{REPO}:*"
}
}
}
]
}Role name: github-actions-{org}-{repo}-{branch}-provisioning
Permissions: @todo
In your repository settings → Settings → Secrets and variables → Actions:
- Add Variable:
BE_AWS_ACCOUNT_ID(your AWS account ID) - Add Variable (optional):
BE_PROVISIONING_PLUGIN_MOBILE_ENABLED(set totrueor1if needed)
Alternatively, set these at the organization or environment level for use across multiple repos.
Your workflow must include the id-token: write permission:
permissions:
id-token: write
contents: read