AWS federation for GitHub Actions
Terraform module to configure GitHub Actions as an IAM OIDC identity provider in AWS. This enables GitHub Actions to access resources within an AWS account without requiring long-lived credentials to be stored as GitHub secrets.
🔨 Getting started
Installation and usage
Refer to the complete example to view all the available configuration options. The following snippet shows the minimum required configuration to create a working OIDC connection between GitHub Actions and AWS.
provider "aws" {
region = var.region
}
module "oidc_github" {
source = "unfunco/oidc-github/aws"
version = "0.8.0"
github_repositories = [
"org/repo",
"another-org/another-repo:ref:refs/heads/main",
]
}
The following demonstrates how to use GitHub Actions once the Terraform module has been applied to your AWS account. The action receives a JSON Web Token (JWT) from the GitHub OIDC provider and then requests an access token from AWS.
jobs:
caller-identity:
name: Check caller identity
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github
- run: aws sts get-caller-identity
Requirements
Name | Version |
---|---|
terraform | ~> 1.0 |
aws | ~> 4.0 |
Providers
Name | Version |
---|---|
aws | ~> 4.0 |
Modules
No modules.
Resources
Name | Type |
---|---|
aws_iam_openid_connect_provider.github | resource |
aws_iam_role.github | resource |
aws_iam_role_policy_attachment.admin | resource |
aws_iam_role_policy_attachment.custom | resource |
aws_iam_role_policy_attachment.read_only | resource |
aws_iam_openid_connect_provider.github | data source |
aws_iam_policy_document.assume_role | data source |
aws_partition.current | data source |
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | bool |
false |
no |
attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | bool |
true |
no |
create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | bool |
true |
no |
enabled | Flag to enable/disable the creation of resources. | bool |
true |
no |
force_detach_policies | Flag to force detachment of policies attached to the IAM role. | bool |
false |
no |
github_repositories | List of GitHub organization/repository names. | list(string) |
n/a | yes |
github_thumbprint | GitHub OpenID TLS certificate thumbprint. | string |
"6938fd4d98bab03faadb97b34396831e3780aea1" |
no |
iam_role_inline_policies | Inline policies map with policy name as key and json as value. | map(string) |
{} |
no |
iam_role_name | Name of the IAM role. | string |
"github" |
no |
iam_role_path | Path to the IAM role. | string |
"/" |
no |
iam_role_permissions_boundary | ARN of the permissions boundary to be used by the IAM role. | string |
"" |
no |
iam_role_policy_arns | List of IAM policy ARNs to attach to the IAM role. | list(string) |
[] |
no |
max_session_duration | Maximum session duration in seconds. | number |
3600 |
no |
tags | Map of tags to be applied to all resources. | map(string) |
{} |
no |
Outputs
Name | Description |
---|---|
iam_role_arn | ARN of the IAM role. |
References
- Configuring OpenID Connect in Amazon Web Services
- Creating OpenID Connect (OIDC) identity providers
- Obtaining the thumbprint for an OpenID Connect Identity Provider
License
© 2021 Daniel Morris
Made available under the terms of the Apache License 2.0.