Build a GitHub Actions workflow that automatically deploys the static site to AWS S3 on every push to main. Chose AWS S3 over Netlify to stay fully within the AWS ecosystem and build transferable DevOps skills (IAM, S3, OIDC federation).
Netlify was the simpler default, but S3 was chosen deliberately: it gives hands-on experience with IAM, bucket policies, and CI-to-cloud authentication, and sets up the later custom domain (Day 18-20) and log monitoring (Day 21-22) tasks to build naturally on CloudFront and S3 access logs.
Initially scoped with long-lived IAM user access keys, then deliberately switched to OpenID Connect (OIDC) federation - GitHub Actions assumes a short-lived AWS role per run instead of storing static secrets. This is the safer, more current best practice and avoids key rotation entirely.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Principal": {
"Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-
provider/token.actions.githubusercontent.com"
},
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": ["sts.amazonaws.com"]
},
"StringLike": {
"token.actions.githubusercontent.com:sub": [
"repo:qezman/cicd-static-site:ref:refs/heads/main"
]
}
}
}
]
}
Last activity
O.1 hour ago
Maximum session duration
1 hour
Entities that can assume this role under specified conditions.