Skip to content

Instantly share code, notes, and snippets.

@t3yamoto

t3yamoto/claude-code-action-role.yml

Last active February 12, 2026 11:28
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save t3yamoto/b5c464ad997e00316e7971b8543dc450 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save t3yamoto/b5c464ad997e00316e7971b8543dc450 to your computer and use it in GitHub Desktop.
Download ZIP
Claude Code GitHub Actions
Raw
claude-code-action-role.yml
AWSTemplateFormatVersion: 2010-09-09
Description: IAM Role for Claude Code Action
Parameters:
GithubOidcProviderArn:
Type: String
Description: ARN of the GitHub Actions OIDC Provider
GitHubOrg:
Type: String
Description: GitHub organization or user name
RepositoryName:
Type: String
Description: "GitHub repository name (use * for all repositories)"
Default: "*"
Resources:
ClaudeCodeActionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRoleWithWebIdentity
Principal:
Federated: !Ref GithubOidcProviderArn
Condition:
StringLike:
token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
ManagedPolicyArns:
- !Ref ClaudeCodeActionPolicy
ClaudeCodeActionPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: Allow access to Amazon Bedrock models and inference profiles
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowModelAndInferenceProfileAccess
Effect: Allow
Action:
- bedrock:InvokeModel
- bedrock:InvokeModelWithResponseStream
- bedrock:ListInferenceProfiles
Resource:
- arn:aws:bedrock:*:*:inference-profile/*
- arn:aws:bedrock:*:*:application-inference-profile/*
- arn:aws:bedrock:*:*:foundation-model/*
- Sid: AllowMarketplaceSubscription
Effect: Allow
Action:
- aws-marketplace:ViewSubscriptions
- aws-marketplace:Subscribe
Resource: "*"
Condition:
StringEquals:
aws:CalledViaLast: bedrock.amazonaws.com
Outputs:
ClaudeCodeActionRoleArn:
Value: !GetAtt ClaudeCodeActionRole.Arn
Raw
claude.yml
name: Claude Code Action
permissions:
contents: write
pull-requests: write
issues: write
id-token: write
on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'issues' && contains(github.event.issue.body, '@claude'))
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Configure AWS Credentials (OIDC)
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
aws-region: ${{ vars.AWS_REGION }}
- uses: anthropics/claude-code-action@v1
env:
AWS_REGION: ${{ vars.AWS_REGION }}
with:
use_bedrock: "true"
claude_args: |
--max-turns ${{ vars.MAX_TURNS }}
--model ${{ vars.BEDROCK_MODEL }}
Raw
github-oidc-provider.yml
AWSTemplateFormatVersion: 2010-09-09
Description: GitHub Actions OIDC Provider
Resources:
GithubOidcProvider:
Type: AWS::IAM::OIDCProvider
Properties:
Url: https://token.actions.githubusercontent.com
ClientIdList:
- sts.amazonaws.com
Outputs:
GithubOidcProviderArn:
Value: !Ref GithubOidcProvider
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment