Claude Code中英文系列教程16:在GitHub Actions中使用 AWS Bedrock & Google Vertex AI
<p>For enterprise environments, you can use Claude Code GitHub Actions with your own cloud infrastructure. This approach gives you control over data residency and billing while maintaining the same functionality.<br>对于企业环境,你可以使用 Claude Code GitHub Actions 与你自己的云基础设施一起使用。这种方法让你能够控制数据驻留和计费,同时保持相同的功能。</p><p>一,Prerequisites前提条件</p>
<p>Before setting up Claude Code GitHub Actions with cloud providers, you need:<br>在使用云服务提供商设置 Claude Code GitHub Actions 之前,你需要:</p>
<p>1.1,For Google Cloud Vertex AI:<br>对于 Google Cloud Vertex AI:</p>
<p>A Google Cloud Project with Vertex AI enabled<br>一个已启用 Vertex AI 的 Google Cloud 项目</p>
<p>Workload Identity Federation configured for GitHub Actions<br>为 GitHub Actions 配置的工作负载身份联合</p>
<p>A service account with the required permissions<br>具有所需权限的账户</p>
<p>A GitHub App (recommended) or use the default GITHUB_TOKEN<br>GitHub 应用(推荐)或使用默认的 GITHUB_TOKEN</p>
<p>1.2,For AWS Bedrock:对于 AWS Bedrock:</p>
<p>An AWS account with Amazon Bedrock enabled<br>一个已启用 Amazon Bedrock 的 AWS 账户</p>
<p>GitHub OIDC Identity Provider configured in AWS<br>在 AWS 中配置的 GitHub OIDC 身份提供者</p>
<p>An IAM role with Bedrock permissions<br>一个具有 Bedrock 权限的 IAM 角色</p>
<p>A GitHub App (recommended) or use the default GITHUB_TOKEN<br>一个 GitHub 应用(推荐)或使用默认的 GITHUB_TOKEN</p>
<p>二, Create a custom GitHub App (Recommended for 3P Providers)<br>创建自定义 GitHub 应用(推荐给第三方提供者)</p>
<p>For best control and security when using 3P providers like Vertex AI or Bedrock, we recommend creating your own GitHub App:<br>在使用 Vertex AI 或 Bedrock 等第三方提供者时,为了获得最佳控制和安全性,建议创建自己的 GitHub 应用:</p>
<p>2.1 Go to https://github.com/settings/apps/new<br>访问 https://github.com/settings/apps/new</p>
<p>2.2 Fill in the basic information:<br>填写基本信息:<br>GitHub App name: Choose a unique name (e.g., “YourOrg Claude Assistant”)<br>GitHub 应用名称:选择一个唯一名称(例如,“YourOrg Claude 助手”)</p>
<p>Homepage URL: Your organization’s website or the repository URL<br>主页 URL:你的组织网站或存储库 URL</p>
<p>2.3 Configure the app settings:<br>配置应用设置:<br>Webhooks: Uncheck “Active” (not needed for this integration)<br>Webhooks:取消勾选“激活”(此集成不需要)</p>
<p>2.4 Set the required permissions:<br>设置所需权限:<br>Repository permissions:仓库权限:<br>Contents: Read & Write<br>内容:读取与写入</p>
<p>Issues: Read & Write<br>问题:读取与写入</p>
<p>Pull requests: Read & Write<br>拉取请求:读取与写入</p>
<p>2.5 Click “Create GitHub App”<br>点击“创建 GitHub 应用”</p>
<p>2.6 After creation, click “Generate a private key” and save the downloaded .pem file<br>创建后,点击“生成一个私钥”并保存下载的 .pem 文件</p>
<p>2.7 Note your App ID from the app settings page<br>从应用设置页面记下你的应用 ID</p>
<p>2.8 Install the app to your repository:<br>将应用安装到你的仓库:<br>From your app’s settings page, click “Install App” in the left sidebar<br>在你的应用设置页面,点击左侧边栏中的“安装应用”</p>
<p>Select your account or organization<br>选择你的账户或组织</p>
<p>Choose “Only select repositories” and select the specific repository<br>选择“仅选择特定仓库”,并选择具体的仓库</p>
<p>Click “Install”点击“安装”</p>
<p>2.9 Add the private key as a secret to your repository:<br>将私钥作为密钥添加到你的仓库:<br>Go to your repository’s Settings → Secrets and variables → Actions<br>进入你的仓库设置 → 密钥和变量 → 操作</p>
<p>Create a new secret named APP_PRIVATE_KEY with the contents of the .pem file<br>创建一个名为 APP_PRIVATE_KEY 的新密钥,内容为 .pem 文件的内容</p>
<p>2.10 Add the App ID as a secret:<br>将 App ID 也作为密钥:</p>
<p>Create a new secret named APP_ID with your GitHub App’s ID<br>创建一个名为 APP_ID 的新密钥,填上你的 GitHub 应用的 ID</p>
<p>This app will be used with the actions/create-github-app-token action to generate authentication tokens in your workflows.<br>该应用将用于与 actions/create-github-app-token 操作一起生成工作流中的认证令牌。</p>
<p>其它:<br>Alternative for Claude API or if you don’t want to setup your own Github app: Use the official Anthropic app:<br>Claude API 的替代方案或如果你不想设置自己的 GitHub 应用:使用官方的 Anthropic 应用:</p>
<p>Install from: https://github.com/apps/claude<br>从 https://github.com/apps/claude 安装</p>
<p>No additional configuration needed for authentication<br>无需额外配置身份验证</p>
<p>三,Configure cloud provider authentication<br>配置云服务提供商身份验证</p>
<p>Choose your cloud provider and set up secure authentication:<br>选择你的云服务提供商并设置安全身份验证:</p>
<p>3.1 对于AWS Bedrock</p>
<p>Configure AWS to allow GitHub Actions to authenticate securely without storing credentials.<br>配置 AWS 以允许 GitHub Actions 安全地进行身份验证,而无需存储凭证。</p>
<p>Required Setup:所需设置:<br>3.1.1 Enable Amazon Bedrock:启用 Amazon Bedrock:<br>Request access to Claude models in Amazon Bedrock<br>申请访问 Amazon Bedrock 中的 Claude 模型</p>
<p>For cross-region models, request access in all required regions<br>对于跨区域模型,请在所有需要的区域中申请访问权限</p>
<p>3.1.2 Set up GitHub OIDC Identity Provider:<br>设置 GitHub OIDC 身份提供者:<br>Provider URL: https://token.actions.githubusercontent.com 提供者 URL<br>Audience: sts.amazonaws.com受众</p>
<p>3.1.3 Create IAM Role for GitHub Actions:<br>为 GitHub Actions 创建 IAM 角色:</p>
<p>Trusted entity type: Web identity<br>受信任的实体类型: Web 身份</p>
<p>Identity provider: token.actions.githubusercontent.com身份提供者</p>
<p>Permissions: AmazonBedrockFullAccess policy<br>权限: AmazonBedrockFullAccess 策略</p>
<p>Configure trust policy for your specific repository<br>为你的特定存储库配置信任策略</p>
<p>Required Values:必需值:<br>After setup, you’ll need:<br>设置完成后,你需要:<br>AWS_ROLE_TO_ASSUME: The ARN of the IAM role you created<br>AWS_ROLE_TO_ASSUME:你创建的 IAM 角色的 ARN</p>
<p>OIDC is more secure than using static AWS access keys because credentials are temporary and automatically rotated.<br>使用 OIDC 比使用静态 AWS 访问密钥 更安全,因为凭证是临时的,并且会自动轮换。</p>
<p><br>3.2 对于Google Vertex AI<br>Configure Google Cloud to allow GitHub Actions to authenticate securely without storing credentials.<br>配置 Google Cloud 以允许 GitHub Actions 安全地进行身份验证,而无需存储凭证。</p>
<p><br>Required Setup:所需设置:<br>3.2.1 Enable APIs in your Google Cloud project:<br>在你的 Google Cloud 项目中启用 API:</p>
<p>IAM Credentials API<br>IAM 凭据 API</p>
<p>Security Token Service (STS) API<br>安全令牌服务 (STS) API</p>
<p>Vertex AI API</p>
<p>3.2.2 Create Workload Identity Federation resources:<br>创建工作负载身份联合资源:</p>
<p>Create a Workload Identity Pool<br>创建一个工作负载身份池</p>
<p>Add a GitHub OIDC provider with:<br>添加一个 GitHub OIDC 提供商,包括:</p>
<p>Issuer: https://token.actions.githubusercontent.com </p>
<p>Attribute mappings for repository and owner<br>仓库和所有者的属性映射</p>
<p>Security recommendation: Use repository-specific attribute conditions<br>安全建议:使用仓库特定的属性条件</p>
<p>3.2.3 Create a Service Account:<br>创建服务账户:</p>
<p>Grant only Vertex AI User role<br>仅授予 Vertex AI User 角色</p>
<p>Security recommendation: Create a dedicated service account per repository<br>安全建议:为每个仓库创建专用服务账户</p>
<p>3.2.4 Configure IAM bindings:配置 IAM 绑定:<br>Allow the Workload Identity Pool to impersonate the service account<br>允许工作负载身份池模拟服务账户</p>
<p>Security recommendation: Use repository-specific principal sets<br>安全建议:使用仓库特定的主体集</p>
<p>Required Values:必需值:<br>After setup, you’ll need:<br>设置完成后,你需要:</p>
<p>GCP_WORKLOAD_IDENTITY_PROVIDER: The full provider resource name<br>完整提供者资源名称</p>
<p>GCP_SERVICE_ACCOUNT: The service account email address<br>服务账户电子邮件地址</p>
<p>Workload Identity Federation eliminates the need for downloadable service account keys, improving security.<br>工作负载身份联合消除了对可下载的服务账户密钥的需求,从而提高了安全性。</p>
<p>四,Add Required Secrets添加所需密钥</p>
<p>Add the following secrets to your repository (Settings → Secrets and variables → Actions):<br>将以下密钥添加到你的仓库(设置→密钥和变量→操作):</p>
<p>4.1 For Claude API (Direct): <br> 对于 Claude API(直接):<br> <br>4.1.1 For API Authentication:对于 API 认证:<br>ANTHROPIC_API_KEY: Your Claude API key from console.anthropic.com<br>ANTHROPIC_API_KEY : 从 console.anthropic.com 获取的你的 Claude API 密钥</p>
<p>4.1.2 For GitHub App (if using your own app):<br>对于 GitHub 应用(如果你使用自己的应用):</p>
<p>APP_ID: Your GitHub App’s ID<br>APP_ID : 你的 GitHub 应用的 ID</p>
<p>APP_PRIVATE_KEY: The private key (.pem) content<br>APP_PRIVATE_KEY : 私有密钥 (.pem) 内容</p>
<p>4.2 For Google Cloud Vertex AI<br>用于 Google Cloud Vertex AI</p>
<p>4.2.1 For GCP Authentication: GCP 身份验证:<br>GCP_WORKLOAD_IDENTITY_PROVIDER<br>GCP_SERVICE_ACCOUNT</p>
<p>4.2.2 For GitHub App (if using your own app):<br>对于 GitHub 应用(如果使用你自己的应用):</p>
<p>APP_ID: Your GitHub App’s ID<br>APP_ID : 你的 GitHub 应用的 ID</p>
<p>APP_PRIVATE_KEY: The private key (.pem) content<br>APP_PRIVATE_KEY : 私有密钥 (.pem) 内容</p>
<p>4.3 For AWS Bedrock对于 AWS Bedrock<br>4.3.1 For AWS Authentication:对于 AWS 身份验证:<br>AWS_ROLE_TO_ASSUME</p>
<p>4.3.2 For GitHub App (if using your own app):<br>对于 GitHub 应用(如果使用你自己的应用):</p>
<p>APP_ID: Your GitHub App’s ID<br>APP_ID : 你的 GitHub 应用的 ID</p>
<p>APP_PRIVATE_KEY: The private key (.pem) content<br>APP_PRIVATE_KEY : 私有密钥 (.pem) 内容</p>
<p>五,Create workflow files创建工作流文件<br>Create GitHub Actions workflow files that integrate with your cloud provider. The examples below show complete configurations for both AWS Bedrock and Google Vertex AI:<br>创建与你的云服务提供商集成的 GitHub Actions 工作流文件。以下示例展示了 AWS Bedrock 和 Google Vertex AI 的完整配置:</p>
<p>5.1 AWS Bedrock workflow<br>AWS Bedrock 工作流</p>
<p>5.1.1 Prerequisites:先决条件:<br>AWS Bedrock access enabled with Claude model permissions<br>AWS Bedrock 通过 Claude 模型权限启用</p>
<p>GitHub configured as an OIDC identity provider in AWS<br>GitHub 在 AWS 中配置为 OIDC 身份提供者</p>
<p>IAM role with Bedrock permissions that trusts GitHub Actions<br>具有 Bedrock 权限并信任 GitHub Actions 的 IAM 角色</p>
<p><br>5.1.2 Required GitHub secrets:所需的 GitHub 密钥</p>
<p>有以下3种 Secret Name密钥名称<br>1,AWS_ROLE_TO_ASSUME <br>ARN of the IAM role for Bedrock access<br>用于 Bedrock 访问的 IAM 角色的 ARN</p>
<p>2,APP_ID<br>Your GitHub App ID (from app settings)<br>你的 GitHub App ID(来自应用设置)</p>
<p>3.APP_PRIVATE_KEY<br>The private key you generated for your GitHub App<br>你为 GitHub App 生成的私钥</p>
<p>```bash<br>name: Claude PR Action</p>
<p>permissions:<br>contents: write<br>pull-requests: write<br>issues: write<br>id-token: write</p>
<p>on:<br>issue_comment:<br> types: <br>pull_request_review_comment:<br> types: <br>issues:<br> types: </p>
<p>jobs:<br>claude-pr:<br> if: |<br> (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||<br> (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||<br> (github.event_name == 'issues' && contains(github.event.issue.body, '@claude'))<br> runs-on: ubuntu-latest<br> env:<br> AWS_REGION: us-west-2<br> steps:<br> - name: Checkout repository<br> uses: actions/checkout@v4</p>
<p> - name: Generate GitHub App token<br> id: app-token<br> uses: actions/create-github-app-token@v2<br> with:<br> app-id: ${{ secrets.APP_ID }}<br> private-key: ${{ secrets.APP_PRIVATE_KEY }}</p>
<p> - name: Configure AWS Credentials (OIDC)<br> uses: aws-actions/configure-aws-credentials@v4<br> with:<br> role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}<br> aws-region: us-west-2</p>
<p> - uses: anthropics/claude-code-action@v1<br> with:<br> github_token: ${{ steps.app-token.outputs.token }}<br> use_bedrock: "true"<br> claude_args: '--model us.anthropic.claude-sonnet-4-5-20250929-v1:0 --max-turns 10'</p>
<p>```<br>The model ID format for Bedrock includes the region prefix (e.g., us.anthropic.claude...) and version suffix.<br>Bedrock 的模型 ID 格式包括区域前缀(例如, us.anthropic.claude... )和版本后缀。</p>
<p>5.2 Google Vertex AI workflow <br>Google Vertex AI 工作流</p>
<p>5.2.1 Prerequisites:前提条件:</p>
<p>Vertex AI API enabled in your GCP project<br>在你的 GCP 项目中已启用 Vertex AI API</p>
<p>Workload Identity Federation configured for GitHub<br>为 GitHub 配置了工作负载身份联合</p>
<p>Service account with Vertex AI permissions<br>具有 Vertex AI 权限的服务账户</p>
<p>5.2.2 Required GitHub secrets:所需的 GitHub 密钥:<br>有以下4种Secret Name密钥名称<br>GCP_WORKLOAD_IDENTITY_PROVIDER: <br>Workload identity provider resource name 工作负载身份提供者资源名称</p>
<p>GCP_SERVICE_ACCOUNT<br>Service account email with Vertex AI access 具有 Vertex AI 访问权限的服务账户邮箱</p>
<p>APP_ID <br>Your GitHub App ID (from app settings) 你的 GitHub App ID(来自应用设置)</p>
<p>APP_PRIVATE_KEY<br>The private key you generated for your GitHub App<br>你为 GitHub App 生成的私钥<br>```bash<br>name: Claude PR Action</p>
<p>permissions:<br>contents: write<br>pull-requests: write<br>issues: write<br>id-token: write</p>
<p>on:<br>issue_comment:<br> types: <br>pull_request_review_comment:<br> types: <br>issues:<br> types: </p>
<p>jobs:<br>claude-pr:<br> if: |<br> (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||<br> (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||<br> (github.event_name == 'issues' && contains(github.event.issue.body, '@claude'))<br> runs-on: ubuntu-latest<br> steps:<br> - name: Checkout repository<br> uses: actions/checkout@v4</p>
<p> - name: Generate GitHub App token<br> id: app-token<br> uses: actions/create-github-app-token@v2<br> with:<br> app-id: ${{ secrets.APP_ID }}<br> private-key: ${{ secrets.APP_PRIVATE_KEY }}</p>
<p> - name: Authenticate to Google Cloud<br> id: auth<br> uses: google-github-actions/auth@v2<br> with:<br> workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}<br> service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}</p>
<p> - uses: anthropics/claude-code-action@v1<br> with:<br> github_token: ${{ steps.app-token.outputs.token }}<br> trigger_phrase: "@claude"<br> use_vertex: "true"<br> claude_args: '--model claude-sonnet-4@20250514 --max-turns 10'<br> env:<br> ANTHROPIC_VERTEX_PROJECT_ID: ${{ steps.auth.outputs.project_id }}<br> CLOUD_ML_REGION: us-east5<br> VERTEX_REGION_CLAUDE_3_7_SONNET: us-east5<br>```<br>The project ID is automatically retrieved from the Google Cloud authentication step, so you don’t need to hardcode it.<br>项目 ID 会自动从 Google Cloud 认证步骤中获取,因此无需硬编码。</p>
<p> </p>
</div>
<div id="MySignature" role="contentinfo">
欢迎关注微信服务号 AwesomeAITools<br><br>
来源:https://www.cnblogs.com/elesos/p/19524093
頁:
[1]