Terraform module to configure GitHub Actions as an IAM OIDC identity provider in AWS. This enables GitHub Actions to access resources within an AWS account without requiring long-lived credentials to be stored as GitHub secrets.
Refer to the complete example to view all the available configuration options. The following snippet shows the minimum required configuration to create a working OIDC connection between GitHub Actions and AWS.
provider "aws" {
region = var.region
}
module "aws_oidc_github" {
source = "unfunco/oidc-github/aws"
version = "0.6.1"
github_repositories = ["org/repo", "another-org/another-repo"]
}The following demonstrates how to use GitHub Actions once the Terraform module has been applied to your AWS account. The action receives a JSON Web Token (JWT) from the GitHub OIDC provider and then requests an access token from AWS.
jobs:
caller-identity:
name: Check caller identity
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@master
with:
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github
- run: aws sts get-caller-identity| Name | Version |
|---|---|
| terraform | ~> 1.0 |
| aws | ~> 4.0 |
| Name | Version |
|---|---|
| aws | ~> 4.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.github | resource |
| aws_iam_role.github | resource |
| aws_iam_role_policy_attachment.admin | resource |
| aws_iam_role_policy_attachment.custom | resource |
| aws_iam_role_policy_attachment.read_only | resource |
| aws_iam_openid_connect_provider.github | data source |
| aws_iam_policy_document.assume_role | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | bool |
false |
no |
| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | bool |
true |
no |
| create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | bool |
true |
no |
| enabled | Flag to enable/disable the creation of resources. | bool |
true |
no |
| force_detach_policies | Flag to force detachment of policies attached to the IAM role. | string |
false |
no |
| github_repositories | List of GitHub organization/repository names. | list(string) |
n/a | yes |
| github_ref | GitHub ref that must be in OIDC claim e.g. 'refs/heads/my-prod-branch' | string |
"" |
no |
| github_thumbprint | GitHub OpenID TLS certificate thumbprint. | string |
"6938fd4d98bab03faadb97b34396831e3780aea1" |
no |
| iam_role_name | Name of the IAM role. | string |
"github" |
no |
| iam_role_path | Path to the IAM role. | string |
"/" |
no |
| iam_role_permissions_boundary | ARN of the permissions boundary to be used by the IAM role. | string |
"" |
no |
| iam_role_policy_arns | List of IAM policy ARNs to attach to the IAM role. | list(string) |
[] |
no |
| max_session_duration | Maximum session duration in seconds. | number |
3600 |
no |
| tags | Map of tags to be applied to all resources. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| iam_role_arn | ARN of the IAM role. |
- Configuring OpenID Connect in Amazon Web Services
- Creating OpenID Connect (OIDC) identity providers
- Obtaining the thumbprint for an OpenID Connect Identity Provider
© 2021 Daniel Morris
Made available under the terms of the Apache License 2.0.