Terraform module to configure GitHub Actions as an IAM OIDC identity provider in AWS. This enables GitHub Actions to access resources within an AWS account without requiring long-lived credentials to be stored as GitHub secrets.
- Terraform 1.0+
Refer to the complete example to view all the available configuration options. The following snippet shows the minimum required configuration to create a working OIDC connection between GitHub Actions and AWS.
provider "aws" {
region = var.region
}
module "oidc_github" {
source = "unfunco/oidc-github/aws"
version = "1.3.1"
github_repositories = [
"org/repo",
"another-org/another-repo:ref:refs/heads/main",
]
}
The following demonstrates how to use GitHub Actions once the Terraform module has been applied to your AWS account. The action receives a JSON Web Token (JWT) from the GitHub OIDC provider and then requests an access token from AWS.
jobs:
caller-identity:
name: Check caller identity
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github
- run: aws sts get-caller-identity
Name | Type |
---|---|
aws_iam_openid_connect_provider.github | resource |
aws_iam_role.github | resource |
aws_iam_role_policy_attachment.admin | resource |
aws_iam_role_policy_attachment.custom | resource |
aws_iam_role_policy_attachment.read_only | resource |
aws_iam_openid_connect_provider.github | data source |
aws_iam_policy_document.assume_role | data source |
aws_partition.current | data source |
tls_certificate.github | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_thumbprints | List of additional thumbprints for the OIDC provider. | list(string) |
null |
no |
attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | bool |
false |
no |
attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | bool |
true |
no |
create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | bool |
true |
no |
enabled | Flag to enable/disable the creation of resources. | bool |
true |
no |
force_detach_policies | Flag to force detachment of policies attached to the IAM role. | bool |
false |
no |
github_repositories | List of GitHub organization/repository names authorized to assume the role. | list(string) |
n/a | yes |
iam_role_inline_policies | Inline policies map with policy name as key and json as value. | map(string) |
{} |
no |
iam_role_name | Name of the IAM role to be created. This will be assumable by GitHub. | string |
"github" |
no |
iam_role_path | Path under which to create IAM role. | string |
"/" |
no |
iam_role_permissions_boundary | ARN of the permissions boundary to be used by the IAM role. | string |
"" |
no |
iam_role_policy_arns | List of IAM policy ARNs to attach to the IAM role. | list(string) |
[] |
no |
max_session_duration | Maximum session duration in seconds. | number |
3600 |
no |
tags | Map of tags to be applied to all resources. | map(string) |
{} |
no |
Name | Description |
---|---|
iam_role_arn | ARN of the IAM role. |
- Configuring OpenID Connect in Amazon Web Services
- Creating OpenID Connect (OIDC) identity providers
- Obtaining the thumbprint for an OpenID Connect Identity Provider
© 2021 Daniel Morris
Made available under the terms of the Apache License 2.0.