what credentials to use for deployment of react app on aws

Question

I have created an app that uses amplify for deployment, and dynamodb for fetching data, I am using the credentials provided to me, but for deployment, should there be separate user credential which should solely be used for deployment?

I have API_ACCESS_KEY in aws-export.js (which I have added in .gitignore), so which credentials should be there in aws-exports.js, specific deployment credentials which could be accessed by anyone, or my user-credential which are actually specific to services alloted to me as a user in the org (which I think is not correct way of managing access)

What is the best practice for this?

Answer 1

There's no such thing as a cookie cutter way to provide credential so that CI/CD servers could get authorized to deploy, you will have to pick one that's right for your use-case. This would usually revolve around the question "Where is the CI/CD server located?". or "Where is the deployment gonna originate?"

If its inside AWS, you can assign IAM roles to authorize that server to push / sync react build files to S3 and invalidate files in CloudFront. If the CI/CD server is living outside of AWS, you will have to generate AWS credentials that only posses enough permissions to sync data to S3 and invalidate cache in CloudFront.

You can then place the AWS credentials in either Environment Variables or create named profiles.