This module configures AWS OIDC authentication with GitHub Actions, eliminating the need for static AWS IAM Access Keys when running Terraform within GitHub Actions.
We can use OpenID Connect within our workflows to authenticate with Amazon Web Services and get temporary session tokens to assume IAM roles.
sequenceDiagram
autonumber
participant A as Github Actions
participant B as Oidc Provider
participant C as AWS IAM
A->>+B: Request JWT
B->>-A: Issue signed JWT
A->>+C: Request Access Token
C-->>+B: Verify Token
B-->>-C: Valid
C->>-A: Issue Role Access Session Token
The module is at the time of writing super opinionated in how the AWS IAM Open ID Connect Provider is created. The only
thing the user needs to be concerned about is the var.conditions. This needs to be set up the trust policy for
the sub field, which is explained
further here.
Multiple fields apart from the required sub field are supported for more granular permissions, a reference to the contents of the OIDC token can be found here.
Check out the examples/simple directory for using the module.
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.github_actions | resource |
| aws_iam_role.github_actions | resource |
| aws_iam_role_policy_attachment.github_actions | resource |
| aws_iam_policy_document.github_actions | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| conditions | Github conditions to apply to the AWS Role. E.g. from which org/repo/branch is it allowed to be run. Key is used as the JWT claim and value as the claim value. | map(string) |
n/a | yes |
| policy_arn | List of ARNs of IAM policies to attach to IAM role. | list(string) |
n/a | yes |
| role_name | The name of the AWS Role which will be used to run Github Actions. | string |
n/a | yes |
| role_max_sessions_duration | Maximum session duration (in seconds) that you want to set for the specified role. | number |
3600 |
no |
| role_permission_boundary | Boundary for the created role. | string |
null |
no |
| Name | Description |
|---|---|
| openid_connect_provider | AWS OpenID Connected identity provider. |
| role | AWS Role created |