AWS SAM + GitHub Actions: Complete CI/CD Guide
Manual deployments of serverless applications create bottlenecks and errors. Integrating AWS SAM with GitHub Actions enables fully automated CI/CD pipelines that deploy code changes within minutes of being committed. This comprehensive guide walks through building production-grade deployment workflows for your serverless applications.
Why GitHub Actions for AWS SAM?
Combining GitHub Actions with AWS SAM creates a powerful DevOps workflow:
- ⚡️ Trigger deployments automatically on code commits
- 🔁 Consistent deployments across all environments
- ✅ Built-in testing and validation steps
- 🔒 Secure credential management with GitHub Secrets
- 💸 Cost-effective with GitHub’s free CI/CD minutes
Explaining to a 6-Year-Old
Imagine you have a robot factory that builds toy cars. When you design a new car on your computer (GitHub), special helper robots (GitHub Actions) automatically:
- Test if the new design works properly
- Build the new car pieces
- Ship them to the toy store (AWS)
- Put them on the shelves for kids to play with
You don’t have to do anything after drawing the new design – everything happens automatically!
Building Your First CI/CD Pipeline
Step 1: Configure AWS Credentials
Create IAM user with appropriate permissions and store credentials in GitHub Secrets:
- Navigate to your GitHub repository → Settings → Secrets
- Add new secrets:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_REGION
Step 2: Create Workflow File
Create .github/workflows/deploy.yml in your repository:
name: SAM Deploy
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Install SAM CLI
run: pip install aws-sam-cli
- name: Build SAM Application
run: sam build
- name: Deploy SAM Application
run: sam deploy --no-confirm-changeset --no-fail-on-empty-changesetCode Commit
Checkout Code
Configure AWS
Install SAM CLI
Build Application
Deploy to AWS
Advanced Pipeline Features
Environment-Specific Deployments
Deploy to staging/production based on branch:
jobs:
deploy:
environment:
name: ${{ github.ref == 'refs/heads/main' && 'production' || 'staging' }}
steps:
# ...
- run: sam deploy --stack-name ${{ github.ref == 'refs/heads/main' && 'prod-stack' || 'staging-stack' }}Automated Testing
Add testing stages to your workflow:
- name: Run Unit Tests
run: pytest tests/unit
- name: Run Integration Tests
run: pytest tests/integration
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TEST_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TEST_AWS_SECRET_ACCESS_KEY }}Infrastructure Scanning
Add security scanning with cfn-nag:
- name: Install cfn-nag
run: gem install cfn-nag
- name: Run Security Scan
run: cfn_nag_scan --input-path template.yamlCaching for Faster Builds
Speed up SAM builds with dependency caching:
- name: Cache SAM Dependencies
uses: actions/cache@v2
with:
path: .aws-sam/build
key: ${{ runner.os }}-sam-${{ hashFiles('**/requirements.txt') }}
restore-keys: |
${{ runner.os }}-sam-Production-Grade Pipeline Template
Comprehensive workflow for enterprise deployments:
name: Production Deployment
on:
push:
branches: [ main ]
workflow_dispatch:
concurrency: production-deploy
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::1234567890:role/github-actions-role
aws-region: us-east-1
- name: Validate SAM Template
run: sam validate
build:
needs: validate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/cache@v2
with:
path: .aws-sam/build
key: sam-build-${{ hashFiles('**/*.py') }}-${{ hashFiles('package.json') }}
- uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::1234567890:role/github-actions-role
aws-region: us-east-1
- name: Install Dependencies
run: pip install -r requirements.txt
- name: Build SAM App
run: sam build
deploy:
needs: build
runs-on: ubuntu-latest
environment: production
steps:
- uses: actions/checkout@v3
- uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::1234567890:role/github-actions-deploy-role
aws-region: us-east-1
- name: Deploy SAM App
run: |
sam deploy
--stack-name production-app
--capabilities CAPABILITY_IAM
--parameter-overrides Env=prod
--no-fail-on-empty-changeset
- name: Run Smoke Tests
run: ./scripts/smoke-tests.shBest Practices for SAM CI/CD
Security Considerations
- Use IAM roles instead of long-term credentials
- Implement least privilege permissions
- Scan for secrets in code with Gitleaks
- Rotate credentials regularly
Performance Optimization
- Parallelize independent jobs
- Use dependency caching
- Optimize Docker build layers
- Use smaller AWS Lambda runtimes
Cost Management
- Use GitHub Actions matrix for multi-region tests
- Schedule cleanup jobs for test resources
- Monitor CI/CD spending in GitHub
- Use spot instances for long-running jobs
For more optimization strategies, see our Cost Optimization Guide.
Troubleshooting Common Issues
| Issue | Solution |
|---|---|
| Permission errors during deploy | Verify IAM roles have required SAM permissions |
| Long build times | Implement dependency caching and parallel builds |
| Environment variable issues | Use GitHub Environments for variable management |
| Deployment timeouts | Increase timeout in workflow file and CloudFormation |
For debugging help, see our Lambda Debugging Guide.
Real-World Implementation
FinTech startup case study results after implementing this pipeline:
- ⏱️ Deployment time reduced from 25 minutes to 4 minutes
- 📉 Production incidents decreased by 68%
- 🔄 Deployment frequency increased to 15x/day
- 🛡️ 100% compliance with security scans in pipeline
