I never see your passwords or access keys. You run a one-time script in your own AWS account — it creates a secure bridge that you can destroy in one click at any time.
Why you're safe
You don't share your AWS login, password, or secret access keys with me. You run the initialization script yourself — completely inside your own AWS account, in your own browser. My access is granted as a temporary, secure bridge. You maintain full control over who gets in.
Many developers copy permanent AWS access keys and paste them into GitHub Secrets. If that repository is ever compromised, those keys leak instantly — attackers can hijack your account for crypto mining and leave you with thousands of dollars in bills.
My script configures OpenID Connect (OIDC). Your GitHub Actions connects to AWS completely keyless — without passwords. AWS issues a short-lived token that expires automatically in 1 hour. It is physically impossible to steal permanent keys because they simply do not exist.
The script uses standard, publicly documented Amazon security policies. I request PowerUserAccess — not AdministratorAccess.
✓ What I CAN do
✗ What I CANNOT do
// Your financial and account control remains 100% yours.
You are always the master of your own infrastructure. If you ever want to close my access — after the project is live, or at any moment — here's all it takes:
The bridge is permanently destroyed instantly. Your app keeps running — only my access disappears.
Step-by-step
Takes about 5 minutes. Done entirely in your browser — no software to install.
Go to console.aws.amazon.com and sign in to your account.
Click the small terminal icon >_ in the top-right corner of the AWS Console toolbar. A terminal window opens at the bottom of your browser — no software needed.
In the CloudShell terminal, run this command:
A text editor opens. Paste the full script below into it. Then look at the very top — Step 1 — and replace the two placeholder values with your actual GitHub username and repository name:
#!/bin/bash # ============================================================ # AWS Vibe Deploy — SECURE INFRASTRUCTURE SETUP # ============================================================ # 🛑 STEP 1: ENTER YOUR GITHUB DETAILS HERE GITHUB_ORG_OR_USER="YOUR_GITHUB_USERNAME_OR_ORG" GITHUB_REPO="YOUR_GITHUB_REPOSITORY_NAME" # ────────────────────────────────────────────────── # DO NOT MODIFY BELOW THIS LINE # ────────────────────────────────────────────────── ARCHITECT_AWS_ACCOUNT_ID="458586357754" if [ "$GITHUB_ORG_OR_USER" = "YOUR_GITHUB_USERNAME_OR_ORG" ] || \ [ "$GITHUB_REPO" = "YOUR_GITHUB_REPOSITORY_NAME" ]; then echo "❌ Please set your GitHub username and repo name at the top!" exit 1 fi echo "🚀 Starting AWS Vibe Deploy setup..." # Create OIDC Provider for GitHub Actions aws iam create-open-id-connect-provider \ --url "https://token.actions.githubusercontent.com" \ --client-id-list "sts.amazonaws.com" \ --thumbprint-list "6938fd4d98bab03faadb97b34396831e3780aea1" \ 2>/dev/null || echo "ℹ️ OIDC Provider already exists." CLIENT_ACCOUNT_ID=$(aws sts get-caller-identity \ --query "Account" --output text) # Create IAM Role for consultant (Switch Role) aws iam create-role \ --role-name VibeDeploy-Consultant \ --assume-role-policy-document "{ \"Version\":\"2012-10-17\", \"Statement\":[{ \"Effect\":\"Allow\", \"Principal\":{\"AWS\":\"arn:aws:iam::${ARCHITECT_AWS_ACCOUNT_ID}:root\"}, \"Action\":\"sts:AssumeRole\" }] }" 2>/dev/null || echo "ℹ️ Consultant role exists." aws iam attach-role-policy \ --role-name VibeDeploy-Consultant \ --policy-arn arn:aws:iam::aws:policy/PowerUserAccess # Create IAM Role for GitHub Actions (keyless OIDC) aws iam create-role \ --role-name VibeDeploy-GitHub-OIDC \ --assume-role-policy-document "{ \"Version\":\"2012-10-17\", \"Statement\":[{ \"Effect\":\"Allow\", \"Principal\":{\"Federated\":\"arn:aws:iam::${CLIENT_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com\"}, \"Action\":\"sts:AssumeRoleWithWebIdentity\", \"Condition\":{ \"StringEquals\":{\"token.actions.githubusercontent.com:aud\":\"sts.amazonaws.com\"}, \"StringLike\":{\"token.actions.githubusercontent.com:sub\":\"repo:${GITHUB_ORG_OR_USER}/${GITHUB_REPO}:*\"} } }] }" 2>/dev/null || echo "ℹ️ GitHub OIDC role exists." aws iam attach-role-policy \ --role-name VibeDeploy-GitHub-OIDC \ --policy-arn arn:aws:iam::aws:policy/PowerUserAccess echo "==============================================" echo "✅ SETUP COMPLETE!" echo "==============================================" echo "👉 Switch Role link (send to Dmytro):" echo "https://signin.aws.amazon.com/switchrole?account=${CLIENT_ACCOUNT_ID}&roleName=VibeDeploy-Consultant" echo "" echo "👉 GitHub OIDC Role ARN (add to GitHub Secrets as AWS_ROLE_ARN):" echo "arn:aws:iam::${CLIENT_ACCOUNT_ID}:role/VibeDeploy-GitHub-OIDC" echo "=============================================="
After pasting, press Ctrl+O → Enter to save, then Ctrl+X to exit.
The script runs for about 30 seconds. You'll see green checkmarks as each step completes.
Once the script finishes, it prints a block at the bottom. Copy and send me both:
👉 Switch Role Link
Starts with: https://signin.aws.amazon.com/switchrole?account=...
This lets me securely access your console — without your password.
👉 GitHub OIDC Role ARN
Starts with: arn:aws:iam::XXXXXXXXXXXX:role/VibeDeploy-GitHub-OIDC
Add this to your GitHub repo → Settings → Secrets → AWS_ROLE_ARN
I use the link to temporarily access your account — like a guest key, not a master key. All my actions are logged in AWS CloudTrail.
EC2, Docker, SSL, domain, CI/CD — all deployed via Terraform. Every resource is tagged and documented.
You get the working URL, all Terraform code in your repo, and full documentation. You can delete my role the moment you're satisfied.