Tech AI Insights

GitHub Actions AWS SSM OIDC: Deploy Any Application to AWS EC2 Without AWS Keys

By /

What is GitHub Actions AWS SSM OIDC?

GitHub Actions AWS SSM OIDC is the new gold standard for deploying applications securely and automatically to AWS EC2. Whether you’re using Laravel, Node.js, or Python, this method helps you automate your deployment process without saving AWS access keys or relying on manual SSH.

In this tutorial, you’ll learn how to set up a fully automated CI/CD pipeline using GitHub Actions, AWS Systems Manager (SSM), and OIDC (OpenID Connect). We’ll use Laravel as an example, but this approach works with any application hosted on EC2.

🚀 Why Use GitHub Actions AWS SSM OIDC for Deployment?

Traditional deployments are often slow, insecure, and error-prone. You might be copying AWS access keys into GitHub secrets, logging into EC2 via SSH, or manually running commands to get your app live.

By combining GitHub Actions AWS SSM OIDC, you get:

  • 🔐 No AWS credentials stored in GitHub
  • 🚫 No SSH access required
  • 🔁 Automated deployments triggered by a code push
  • 📦 Easy integration with EC2-based deployments

✅ Prerequisites

Before we begin, make sure you have the following

  • A GitHub repository (e.g., Laravel, Node.js, Python app)
  • An EC2 instance with your app or web server setup
  • AWS IAM access to create roles and policies

Step 1: Setup AWS for GitHub OIDC Authentication<

1.1 Add GitHub as an OIDC Identity Provider

  1. Go to AWS IAM > Identity Providers > Add Provider
  2. Choose OIDC as the provider type
  3. Set URL to: https://token.actions.githubusercontent.com
  4. Set Audience to: sts.amazonaws.com

1.2 Create a GitHub-Specific IAM Role

Create a new role using:

  • Trusted Entity: Web Identity (OIDC)
  • Provider: GitHub OIDC provider

Use this in your trust policy:

{
  "Condition": {
    "StringLike": {
      "token.actions.githubusercontent.com:sub": "repo:your-username/your-repo:ref:refs/heads/main"
    }
  }
}

1.3 Attach Permissions for AWS SSM

Attach the following inline policy:

{
  "Effect": "Allow",
  "Action": [
    "ssm:SendCommand",
    "ssm:GetCommandInvocation"
  ],
  "Resource": "*"
}

Step 2: Prepare EC2 (Laravel as an Example)

2.1 Install the SSM Agent

sudo snap install amazon-ssm-agent --classic
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

2.2 Attach an EC2 IAM Role

Attach a role with the AmazonSSMManagedInstanceCore policy.

2.3 Create a Deploy Script on EC2

sudo nano /var/www/html/laravel-app/deploy.sh

Example script:

#!/bin/bash
set -e

cd /var/www/html/laravel-app

echo "Pulling latest code"
git fetch origin main
git reset --hard origin/main

echo "Installing dependencies"
composer install --no-dev --optimize-autoloader

php artisan migrate --force
php artisan config:cache
php artisan route:cache
php artisan view:cache

chown -R www-data:www-data .
chmod -R 775 storage bootstrap/cache

echo "✅ Deployment complete!"

Make it executable:

chmod +x /var/www/html/laravel-app/deploy.sh

Step 3: GitHub Actions Workflow

Create this file: .github/workflows/deploy.yml

name: Deploy to EC2 via SSM

on:
  push:
    branches:
      - main

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest

    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam:::role/
          aws-region: us-east-1

      - name: Trigger Laravel Deploy Script on EC2
        run: |
          aws ssm send-command \
            --document-name "AWS-RunShellScript" \
            --comment "Deploy Laravel App" \
            --instance-ids "i-xxxxxxxxxxxx" \
            --region "us-east-1" \
            --parameters 'commands=["bash /var/www/html/laravel-app/deploy.sh"]' \
            --output text

Step 4: Push Code and Watch It Deploy

  1. Push a commit to the main branch
  2. Monitor GitHub Actions for deployment
  3. Check AWS SSM > Command History
  4. Visit your Laravel app to verify updates

Pro Tips for Production-Ready Deployments

  • Limit IAM role to specific EC2 or SSM documents
  • Use GitHub branch protection rules
  • Set up separate roles for dev, staging, and prod

Final Thoughts

Using GitHub Actions AWS SSM OIDC for your deployment workflow is a smart and modern approach to solving a very old problem: how to get your code from GitHub to your server without security risks or manual effort.

If you’ve ever dealt with lost SSH keys, forgotten credentials, or broken scripts during deployment—you know how frustrating traditional setups can be. This method removes all of that. You no longer need to store AWS access keys or even open an SSH terminal. Everything runs automatically, securely, and with full transparency.

So the next time you push code to GitHub, let the workflow handle the rest. Your app gets deployed safely, with no secrets, no SSH, and no stress.

No secrets. No SSH headaches. Just git push and deploy.

For more insightful tutorials, visit our Tech Blogs and explore the latest in Laravel, AI, and Vue.js development!

Related Posts

Scroll to Top