Deploy to AWS S3 and CloudFront

Q: Deploy to AWS S3 and CloudFront

## AWS S3 + CloudFront Deployment Deploying to AWS S3 with CloudFront CDN invalidation is a common pattern for static websites and single-page applications. This workflow uses OIDC-based authentication — the recommended approach that avoids storing long-lived AWS credentials. ### Workflow YAML yaml name: Deploy to AWS on: push: branches: - main permissions: id-token: write contents: read jobs: deploy: runs-on: ubuntu-latest steps: - name: Checkout us

Deploy a static website to AWS S3 with CloudFront cache invalidation using GitHub Actions. Covers AWS credentials setup with OIDC, sync, and invalidation.

Deployment

Detailed Explanation

AWS S3 + CloudFront Deployment

Deploying to AWS S3 with CloudFront CDN invalidation is a common pattern for static websites and single-page applications. This workflow uses OIDC-based authentication — the recommended approach that avoids storing long-lived AWS credentials.

Workflow YAML

name: Deploy to AWS

on:
  push:
    branches:
      - main

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: 'npm'

      - name: Install and build
        run: |
          npm ci
          npm run build

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole
          aws-region: us-east-1

      - name: Sync to S3
        run: aws s3 sync ./dist s3://my-website-bucket --delete

      - name: Invalidate CloudFront
        run: aws cloudfront create-invalidation --distribution-id E1234567890 --paths "/*"

OIDC Authentication (Recommended)

Instead of storing AWS access keys as secrets, this workflow uses OpenID Connect (OIDC) to assume an IAM role directly. This requires:

Create an IAM OIDC identity provider for token.actions.githubusercontent.com
Create an IAM role with a trust policy that allows your repository
Attach S3 and CloudFront permissions to the role

Key Steps Explained

aws s3 sync --delete: Syncs the build directory to S3, uploading new/changed files and deleting files that no longer exist locally.
CloudFront invalidation: Clears the CDN cache so visitors see the latest version immediately. The /* pattern invalidates all paths.

Cost Optimization

CloudFront invalidations are free for the first 1,000 paths per month. Using /* counts as a single path invalidation. For large sites, consider invalidating only changed paths to reduce costs.

Use Case

Hosting static websites, single-page applications, or documentation sites on AWS with global CDN distribution. Used by teams that need AWS infrastructure for compliance, existing architecture, or advanced caching configurations.

Try It — GitHub Actions Workflow Builder

Open full tool →