repository_publisher_role.yaml

AWSTemplateFormatVersion: 2010-09-09
# See https://github.com/aws-actions/configure-aws-credentials#sample-iam-role-cloudformation-template

Parameters:

  GitHubOrg:
    Type: String

  RepositoryName:
    Type: String

  BranchName:
    Type: String
    Default: "*"

  GitHubOIDCProviderArn:
    Type: String

Conditions:

  AllowAllBranches: !Equals
    - !Ref BranchName
    - "*"

Resources:

  RepositoryPublisherRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Action: sts:AssumeRoleWithWebIdentity
            Principal:
              Federated: !Ref GitHubOIDCProviderArn
            Condition:
              ForAllValues:StringLike:
                token.actions.githubusercontent.com:aud: sts.amazonaws.com
                token.actions.githubusercontent.com:sub: !If
                  - AllowAllBranches
                  - !Sub repo:${GitHubOrg}/${RepositoryName}:*
                  - !Sub repo:${GitHubOrg}/${RepositoryName}:ref:refs/heads/${BranchName}
      Policies:
        - PolicyName: publish-to-repo
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Action:
                  - codeartifact:GetAuthorizationToken
                  - codeartifact:GetRepositoryEndpoint
                  - codeartifact:PublishPackageVersion
                  - codeartifact:PutPackageMetadata
                  - sts:GetServiceBearerToken
                Effect: Allow
                Resource: "*"

Outputs:

  RepositoryRoleArn:
    Value: !GetAtt RepositoryRole.Arn

Thanks for posting this and the related article!

I think there's a typo on line 60 and RepositoryRole.Arn should be RepositoryPublisherRole.Arn