Articles

Deploy CDK Stacks Automatically with GitHub Actions (2026)

April 16, 2026 3 min read

CDK stacks can be deployed automatically with GitHub Actions.

Here’s a CDK stack that creates a simple S3 bucket:

from aws_cdk import (
    aws_s3 as s3,
    Stack,
    App
)

class MyS3Stack(Stack):
    def __init__(self, scope: App, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        s3.Bucket(self, "MyBucket")

app = App()
MyS3Stack(app, "my-s3-stack")

To deploy this with GitHub Actions, you’ll need a workflow file. Let’s call it .github/workflows/deploy.yml.

name: Deploy CDK Stack

on:
  push:
    branches:
      - main

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:

          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}


          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

          aws-region: us-east-1

      - name: Setup Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.9'

      - name: Install CDK
        run: npm install -g aws-cdk

      - name: Install Python dependencies
        run: pip install -r requirements.txt

      - name: CDK Bootstrap
        run: cdk bootstrap aws://123456789012/us-east-1 # Replace with your AWS Account ID and Region

      - name: CDK Deploy
        run: cdk deploy --all --require-approval never

This workflow does a few key things:

  • on: push: branches: - main: This triggers the workflow every time code is pushed to the main branch.
  • jobs: deploy: Defines a single job named deploy.
  • runs-on: ubuntu-latest: Specifies that the job will run on a fresh Ubuntu Linux runner.
  • steps: A sequence of tasks to be executed.
    • Checkout code: Downloads your repository’s code onto the runner.
    • Configure AWS Credentials: This is crucial. It uses the aws-actions/configure-aws-credentials action to securely inject your AWS credentials (stored as GitHub secrets AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) into the runner environment. The aws-region is also specified here.
    • Setup Python: Ensures a Python environment is available.
    • Install CDK: Installs the AWS CDK CLI globally using npm.
    • Install Python dependencies: Installs any Python packages your CDK app needs, typically listed in requirements.txt.
    • CDK Bootstrap: This is a one-time setup for your AWS account and region. It deploys essential CDK infrastructure (like an S3 bucket for assets and a CloudFormation stack for state management) if it doesn’t already exist. You must replace 123456789012 with your actual AWS Account ID and us-east-1 with your desired region.
    • CDK Deploy: This is the command that synthesizes your CDK app into CloudFormation templates and deploys them to AWS. --all deploys all stacks in your app, and --require-approval never automatically approves any changes, which is common in CI/CD but should be used with caution.

The aws-actions/configure-aws-credentials action is a convenient way to handle AWS authentication in GitHub Actions. It leverages OIDC (OpenID Connect) if possible, which is more secure than directly storing access keys, but falls back to using access keys if OIDC is not configured for your AWS account.

When cdk deploy --all runs, the CDK CLI first synthesizes your Python code into CloudFormation JSON. Then, it checks if the CloudFormation stack already exists. If it does, it compares the current state with the desired state and generates an update plan. If it doesn’t exist, it creates a new one. The --require-approval never flag bypasses the interactive prompt that would normally ask you to confirm changes before deployment.

A common next step is to implement manual approval gates in your workflow or to integrate with other services like AWS CodePipeline for more complex deployment strategies.

Want structured learning?

Take the full Cdk course →