Skip to content

Instantly share code, notes, and snippets.

@guitarrapc
Created Nov 4, 2021
Embed
What would you like to do?
IAM Role Assume for GitHub Actions OIDC with AWS OIDC Provider.
// oidc provider
resource "aws_iam_openid_connect_provider" "main" {
url = "https://token.actions.githubusercontent.com"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}
// role
data "aws_iam_policy_document" "github_oid_assume_role_policy" {
statement {
effect = "Allow"
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.main.arn]
}
# aud があるとはじかれてるので、aud の値がおかしいっぽい。 <- github.com/aws-actions/configure-aws-credentials ではなしになってる :(
# condition {
# test = "StringEquals"
# variable = "token.actions.githubusercontent.com:aud"
# values = ["https://github.com/${var.github_owner}"]
# }
condition {
test = length(var.github_oidc_repo_names) == 1 ? "StringLike" : "ForAnyValue:StringLike"
variable = "token.actions.githubusercontent.com:sub"
values = [for item in var.github_oidc_repo_names : "repo:${var.github_owner}/${item}:*"]
}
}
}
data "aws_iam_policy_document" "github_actions" {
// allow running `aws sts get-caller-identity`
statement {
effect = "Allow"
actions = ["sts:GetCallerIdentity"]
resources = ["*"]
}
}
resource "aws_iam_policy" "github_actions" {
name = "githubactions_policy"
path = "/"
description = "Policy for GitHubActions"
policy = data.aws_iam_policy_document.github_actions.json
}
resource "aws_iam_role" "test_role" {
name = "githubactions-oidc-role"
path = "/"
assume_role_policy = data.aws_iam_policy_document.github_oid_assume_role_policy.json
policy_arns = [
aws_iam_policy.github_actions.arn
]
}
output "oidc_arn" {
value = aws_iam_openid_connect_provider.main.arn
}
output "role_arn" {
value = module.iam_role_github_oidc.arn
}
variable "github_owner" {
description = "github owner name"
}
variable "github_oidc_repo_names" {
description = "set of github_owner/repository_name"
type = set(string)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment