Forem: Florian Riquelme The latest articles on Forem by Florian Riquelme (@florianriquelme). https://forem.com/florianriquelme https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3765127%2F64a483ed-9d85-45f6-9967-2f1c1bb5fbb8.jpeg Forem: Florian Riquelme https://forem.com/florianriquelme en Deploying an Astro Site to AWS — The Full Pipeline Florian Riquelme Tue, 10 Feb 2026 22:56:11 +0000 https://forem.com/florianriquelme/deploying-an-astro-site-to-aws-the-full-pipeline-4k https://forem.com/florianriquelme/deploying-an-astro-site-to-aws-the-full-pipeline-4k <blockquote> <p><strong>tldr:</strong> the repo where I implemented this — astro frontend, aws cdk infrastructure, github actions pipeline — is open source. grab the code at <a href="https://github.com/FlorianRiquelme/friquelme.dev" rel="noopener noreferrer">github.com/FlorianRiquelme/friquelme.dev</a> and use it as a starting point for your own setup.</p> </blockquote> <h2> The Goal </h2> <p>Every push to <code>main</code> should result in the site being live — no manual steps, no stored AWS credentials, and a cache strategy that keeps the site fast without serving stale content.</p> <p>This post walks through exactly how <a href="https://friquelme.dev" rel="noopener noreferrer">friquelme.dev</a> is deployed: from the GitHub Actions workflow to the AWS infrastructure defined with CDK.</p> <h2> Architecture Overview </h2> <p>The pipeline has four moving parts:</p> <ol> <li> <strong>GitHub Actions</strong> — builds the Astro site and syncs files to S3</li> <li> <strong>OIDC federation</strong> — short-lived AWS credentials with no stored secrets</li> <li> <strong>S3</strong> — bucket with static website hosting, serving as the origin for CloudFront</li> <li> <strong>CloudFront</strong> — CDN with HTTPS, HTTP/2+3, and security headers</li> </ol> <p>Everything is defined as code. The GitHub Actions workflow handles CI/CD, and AWS CDK manages the infrastructure.</p> <h2> The GitHub Actions Workflow </h2> <p>The entire deployment lives in a single workflow file. Here's the full thing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to AWS</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">concurrency</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">deploy-production</span> <span class="na">cancel-in-progress</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">pnpm/action-setup@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="m">22</span> <span class="na">cache</span><span class="pi">:</span> <span class="s">pnpm</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pnpm install --frozen-lockfile</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pnpm run build</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_DEPLOY_ROLE_ARN }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="c1"># Sync hashed assets with immutable cache headers</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Sync _astro/ assets</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws s3 sync dist/_astro/ s3://${{ secrets.S3_BUCKET_NAME }}/_astro/ \</span> <span class="s">--cache-control "public,max-age=31536000,immutable" \</span> <span class="s">--delete</span> <span class="c1"># Sync root files with must-revalidate cache headers</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Sync root files</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws s3 sync dist/ s3://${{ secrets.S3_BUCKET_NAME }}/ \</span> <span class="s">--exclude "_astro/*" \</span> <span class="s">--cache-control "public,max-age=0,must-revalidate" \</span> <span class="s">--delete</span> <span class="c1"># Invalidate only critical non-hashed paths</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Invalidate CloudFront</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws cloudfront create-invalidation \</span> <span class="s">--distribution-id ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }} \</span> <span class="s">--paths "/" "/index.html" "/favicon.ico" "/favicon.svg" "/blog/*"</span> </code></pre> </div> <p>A few things worth noting.</p> <h3> OIDC Authentication </h3> <p>The <code>permissions.id-token: write</code> line is what enables <strong>OpenID Connect</strong> federation. Instead of storing long-lived AWS access keys as GitHub secrets, the workflow exchanges a short-lived GitHub token for temporary AWS credentials via <code>aws-actions/configure-aws-credentials@v4</code>.</p> <p>The trust relationship is locked down to:</p> <ul> <li>This specific repository</li> <li>The <code>production</code> GitHub environment only</li> <li>Sessions expire after 1 hour (the minimum AWS allows)</li> </ul> <p>This means even if someone forks the repo, they can't assume the deploy role.</p> <h3> Two-Phase S3 Sync </h3> <p>Astro generates hashed filenames for all processed assets (JS, CSS, images) under <code>_astro/</code>. These files are <strong>content-addressable</strong> — the filename changes when the content changes. This makes them safe to cache forever:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dist/_astro/Layout.DxF4k2.css dist/_astro/index.B7mK3p.js </code></pre> </div> <p>The sync strategy exploits this:</p> <ol> <li> <strong><code>_astro/*</code></strong> → <code>max-age=31536000,immutable</code> — cached for 1 year, browsers never revalidate</li> <li> <strong>Everything else</strong> (HTML, favicons) → <code>max-age=0,must-revalidate</code> — always checks for fresh content</li> </ol> <p>This gives us the best of both worlds: instant loads for returning visitors on unchanged assets, and immediate updates for new content.</p> <h3> Selective CloudFront Invalidation </h3> <p>Instead of invalidating <code>/*</code> (which costs money at scale and is slow), we only invalidate the paths that actually matter for freshness: the homepage, favicons, and blog content. HTML pages already have <code>must-revalidate</code> cache headers, so CloudFront will check the origin on every request anyway.</p> <blockquote> <p><strong>why not invalidate <code>/*</code>?</strong> CloudFront charges $0.005 per path after the first 1,000 invalidations per month. For a static site with few critical paths, targeted invalidation is both faster and cheaper.</p> </blockquote> <h3> Concurrency Control </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">concurrency</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">deploy-production</span> <span class="na">cancel-in-progress</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <p>The <code>cancel-in-progress: false</code> setting is intentional. If two pushes happen in quick succession, we don't want the second deploy to cancel the first mid-sync — that could leave S3 in an inconsistent state. Instead, the second deploy queues and runs after the first completes.</p> <h2> AWS Infrastructure with CDK </h2> <p>The infrastructure is defined in two CDK stacks. These are deployed manually (not through CI) since infrastructure changes are infrequent and warrant human review.</p> <h3> The Static Site Stack </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">DOMAIN_NAME</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">friquelme.dev</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// S3 bucket — static website hosting for subdirectory index resolution</span> <span class="k">this</span><span class="p">.</span><span class="nx">bucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SiteBucket</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">websiteIndexDocument</span><span class="p">:</span> <span class="dl">'</span><span class="s1">index.html</span><span class="dl">'</span><span class="p">,</span> <span class="na">publicReadAccess</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">blockPublicAccess</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">BlockPublicAccess</span><span class="p">.</span><span class="nx">BLOCK_ACLS</span><span class="p">,</span> <span class="na">objectOwnership</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">ObjectOwnership</span><span class="p">.</span><span class="nx">BUCKET_OWNER_PREFERRED</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="na">autoDeleteObjects</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>The S3 bucket uses <strong>static website hosting</strong> with <code>websiteIndexDocument</code> set. This is critical for multi-page static sites — more on why below.</p> <h3> CloudFront Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">this</span><span class="p">.</span><span class="nx">distribution</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cloudfront</span><span class="p">.</span><span class="nc">Distribution</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SiteDistribution</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">defaultBehavior</span><span class="p">:</span> <span class="p">{</span> <span class="na">origin</span><span class="p">:</span> <span class="k">new</span> <span class="nx">origins</span><span class="p">.</span><span class="nc">S3StaticWebsiteOrigin</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">bucket</span><span class="p">),</span> <span class="na">viewerProtocolPolicy</span><span class="p">:</span> <span class="nx">cloudfront</span><span class="p">.</span><span class="nx">ViewerProtocolPolicy</span><span class="p">.</span><span class="nx">REDIRECT_TO_HTTPS</span><span class="p">,</span> <span class="nx">responseHeadersPolicy</span><span class="p">,</span> <span class="p">},</span> <span class="na">domainNames</span><span class="p">:</span> <span class="p">[</span><span class="nx">DOMAIN_NAME</span><span class="p">,</span> <span class="s2">`www.</span><span class="p">${</span><span class="nx">DOMAIN_NAME</span><span class="p">}</span><span class="s2">`</span><span class="p">],</span> <span class="nx">certificate</span><span class="p">,</span> <span class="na">httpVersion</span><span class="p">:</span> <span class="nx">cloudfront</span><span class="p">.</span><span class="nx">HttpVersion</span><span class="p">.</span><span class="nx">HTTP2_AND_3</span><span class="p">,</span> <span class="na">priceClass</span><span class="p">:</span> <span class="nx">cloudfront</span><span class="p">.</span><span class="nx">PriceClass</span><span class="p">.</span><span class="nx">PRICE_CLASS_ALL</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Key decisions:</p> <ul> <li> <strong><code>S3StaticWebsiteOrigin</code></strong> — connects CloudFront to S3's website hosting endpoint, which handles index document resolution natively</li> <li> <strong>No <code>defaultRootObject</code></strong> — S3 website hosting handles this; setting it on CloudFront would only apply to the root path anyway</li> <li> <strong>HTTP/2 and HTTP/3</strong> — HTTP/3 uses QUIC (UDP-based), which eliminates head-of-line blocking and reduces connection setup latency</li> <li> <strong>Price Class All</strong> — uses all CloudFront edge locations globally for the lowest latency everywhere, since the free tier covers most personal site traffic anyway</li> <li> <strong>REDIRECT_TO_HTTPS</strong> — all HTTP requests are upgraded, no mixed content possible</li> </ul> <h3> The OAC Trap — Why Your Subpages Break </h3> <p>This deserves its own section because it's a subtle issue that will bite anyone deploying a multi-page static site to S3 + CloudFront.</p> <p>The "modern" approach you'll find in most tutorials and AWS docs is to use <strong>Origin Access Control (OAC)</strong> — keep the S3 bucket private, and let CloudFront authenticate requests to it. This is what CDK's <code>S3BucketOrigin.withOriginAccessControl()</code> sets up. It sounds clean and secure.</p> <p>The problem: <strong>OAC uses the S3 REST API, which does not resolve subdirectory index documents.</strong></p> <p>When a user visits <code>/blog</code>, Astro has generated <code>blog/index.html</code> in the bucket. With S3 static website hosting, the request resolves correctly: <code>/blog</code> → <code>blog/index.html</code>. But the S3 REST API (used by OAC) treats <code>/blog</code> as a key lookup — there's no object with that key, so S3 returns <strong>403 Forbidden</strong>.</p> <p>Here's where it gets worse. A common CDK pattern is to add custom error responses to "fix" SPAs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// DON'T do this for multi-page static sites</span> <span class="nx">errorResponses</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">httpStatus</span><span class="p">:</span> <span class="mi">403</span><span class="p">,</span> <span class="na">responseHttpStatus</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">responsePagePath</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/index.html</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">httpStatus</span><span class="p">:</span> <span class="mi">404</span><span class="p">,</span> <span class="na">responseHttpStatus</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">responsePagePath</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/index.html</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> </code></pre> </div> <p>This catches the 403 and silently serves the homepage. For a single-page app with client-side routing, that's fine — the JS router picks up the URL and renders the right view. But for a <strong>statically generated site</strong> like Astro in static mode, there's no client-side router. The user sees the homepage, the URL says <code>/blog</code>, and nothing looks broken at first glance. It's a silent failure.</p> <blockquote> <p><strong>the symptom:</strong> navigating to any subpage (like <code>/blog</code>) shows the homepage instead of the actual page content. the url changes but the wrong page is served. no errors in the console, no 404 — just the wrong content.</p> </blockquote> <p>The fix is to use <strong>S3 static website hosting</strong> as the origin instead of OAC:</p> <ol> <li>Enable <code>websiteIndexDocument</code> on the bucket</li> <li>Allow public read access (CloudFront still handles HTTPS and caching)</li> <li>Use <code>S3StaticWebsiteOrigin</code> instead of <code>S3BucketOrigin.withOriginAccessControl</code> </li> <li>Remove <code>defaultRootObject</code> from the distribution (S3 handles it)</li> <li>Remove <code>errorResponses</code> (no more masking real errors)</li> </ol> <p>Yes, the bucket is technically public. But the content is a static website — it's meant to be public. The security headers, HTTPS enforcement, and cache policies are all handled at the CloudFront layer regardless of origin type. If your content is meant to be served to the internet, the "private bucket + OAC" approach adds complexity without meaningful security benefit, and breaks multi-page routing in the process.</p> <blockquote> <p><strong>alternatives if you really want a private bucket:</strong> you can keep OAC and add a CloudFront Function to rewrite URIs (appending <code>/index.html</code> to directory paths). this works but adds another moving part. for most static sites, website hosting is simpler and more reliable.</p> </blockquote> <h3> Security Headers </h3> <p>Every response gets hardened headers injected at the CDN level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">responseHeadersPolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cloudfront</span><span class="p">.</span><span class="nc">ResponseHeadersPolicy</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SecurityHeaders</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">securityHeadersBehavior</span><span class="p">:</span> <span class="p">{</span> <span class="na">strictTransportSecurity</span><span class="p">:</span> <span class="p">{</span> <span class="na">accessControlMaxAge</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">63072000</span><span class="p">),</span> <span class="c1">// 2 years</span> <span class="na">includeSubdomains</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">preload</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">override</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="na">contentTypeOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">override</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">frameOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">frameOption</span><span class="p">:</span> <span class="nx">cloudfront</span><span class="p">.</span><span class="nx">HeadersFrameOption</span><span class="p">.</span><span class="nx">DENY</span><span class="p">,</span> <span class="na">override</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="na">referrerPolicy</span><span class="p">:</span> <span class="p">{</span> <span class="na">referrerPolicy</span><span class="p">:</span> <span class="nx">cloudfront</span><span class="p">.</span><span class="nx">HeadersReferrerPolicy</span><span class="p">.</span><span class="nx">STRICT_ORIGIN_WHEN_CROSS_ORIGIN</span><span class="p">,</span> <span class="na">override</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <p>This gives us:</p> <ul> <li> <strong>HSTS</strong> with 2-year max-age, subdomains, and preload — the browser will never make an insecure connection</li> <li> <strong>X-Content-Type-Options: nosniff</strong> — prevents MIME-type sniffing attacks</li> <li> <strong>X-Frame-Options: DENY</strong> — blocks clickjacking</li> <li> <strong>Referrer-Policy</strong> — only sends origin on cross-origin requests</li> </ul> <h3> DNS and TLS </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">certificate</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">acm</span><span class="p">.</span><span class="nc">Certificate</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SiteCertificate</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">DOMAIN_NAME</span><span class="p">,</span> <span class="na">subjectAlternativeNames</span><span class="p">:</span> <span class="p">[</span><span class="s2">`www.</span><span class="p">${</span><span class="nx">DOMAIN_NAME</span><span class="p">}</span><span class="s2">`</span><span class="p">],</span> <span class="na">validation</span><span class="p">:</span> <span class="nx">acm</span><span class="p">.</span><span class="nx">CertificateValidation</span><span class="p">.</span><span class="nf">fromDns</span><span class="p">(</span><span class="nx">hostedZone</span><span class="p">),</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">route53</span><span class="p">.</span><span class="nc">ARecord</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SiteAliasRecord</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">zone</span><span class="p">:</span> <span class="nx">hostedZone</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="nx">route53</span><span class="p">.</span><span class="nx">RecordTarget</span><span class="p">.</span><span class="nf">fromAlias</span><span class="p">(</span> <span class="k">new</span> <span class="nx">targets</span><span class="p">.</span><span class="nc">CloudFrontTarget</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">distribution</span><span class="p">),</span> <span class="p">),</span> <span class="p">});</span> </code></pre> </div> <p>The ACM certificate covers both the apex domain and <code>www</code>. DNS validation via Route53 means certificate renewal is fully automatic — no manual intervention, no expiry surprises.</p> <h3> The OIDC Stack </h3> <p>The second stack sets up the trust relationship between GitHub Actions and AWS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">oidcProvider</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">OpenIdConnectProvider</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">GitHubOidcProvider</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">url</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://token.actions.githubusercontent.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">clientIds</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">sts.amazonaws.com</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">deployRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">GitHubDeployRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">OpenIdConnectPrincipal</span><span class="p">(</span><span class="nx">oidcProvider</span><span class="p">,</span> <span class="p">{</span> <span class="na">StringEquals</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">token.actions.githubusercontent.com:aud</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sts.amazonaws.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">StringLike</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">token.actions.githubusercontent.com:sub</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`repo:</span><span class="p">${</span><span class="nx">GITHUB_REPO</span><span class="p">}</span><span class="s2">:environment:production`</span><span class="p">,</span> <span class="p">},</span> <span class="p">}),</span> <span class="na">maxSessionDuration</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">hours</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="p">});</span> </code></pre> </div> <p>The role's permissions follow <strong>least privilege</strong> — it can only:</p> <ul> <li>Read, write, and delete objects in the site bucket</li> <li>List the bucket contents</li> <li>Create CloudFront invalidations</li> </ul> <p>Nothing else. No <code>s3:*</code>, no <code>cloudfront:*</code>. If the credentials were somehow compromised, the blast radius is limited to this specific bucket and distribution.</p> <h2> The Full Flow </h2> <p>Putting it all together, a deploy looks like this:</p> <ol> <li> <strong><code>git push origin main</code></strong> — triggers the workflow</li> <li> <strong>Build</strong> — pnpm installs dependencies, Astro builds static files to <code>dist/</code> </li> <li> <strong>OIDC exchange</strong> — GitHub token → temporary AWS credentials (STS)</li> <li> <strong>S3 sync phase 1</strong> — hashed assets with immutable cache headers</li> <li> <strong>S3 sync phase 2</strong> — HTML and root files with must-revalidate headers</li> <li> <strong>CloudFront invalidation</strong> — clears cached versions of <code>/</code>, <code>/index.html</code>, favicons</li> <li> <strong>Live</strong> — the site is updated, typically under 2 minutes end-to-end</li> </ol> <p>The entire pipeline is reproducible, auditable, and runs without any stored secrets. The CDK stacks can be torn down and recreated at any time, and the GitHub Actions workflow is self-contained.</p> <h2> Cost </h2> <p>For a personal portfolio with modest traffic, the monthly AWS bill is under <strong>$1</strong>:</p> <ul> <li> <strong>S3</strong> — pennies for storage and requests</li> <li> <strong>CloudFront</strong> — free tier covers 1TB/month of data transfer</li> <li> <strong>Route53</strong> — $0.50/month for the hosted zone</li> <li> <strong>ACM</strong> — free for public certificates</li> </ul> <p>The GitHub Actions minutes are free for public repos.</p> <p><em>If you're deploying a static site to AWS and want to avoid the common pitfalls — broken subpage routing with OAC, long-lived credentials, stale caches — this setup is a solid starting point. The full source code for both the site and infrastructure is on <a href="https://github.com/FlorianRiquelme/friquelme.dev" rel="noopener noreferrer">GitHub</a>.</em></p> aws astro devops tutorial