Skip to content

Instantly share code, notes, and snippets.

@jon918
Last active March 14, 2022 15:05
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jon918/ed09ef173aefcd01e917155210fec572 to your computer and use it in GitHub Desktop.
Save jon918/ed09ef173aefcd01e917155210fec572 to your computer and use it in GitHub Desktop.
AWS GitHub OIDC Configuration
{
"Statement": [
{
"Action": [
"s3:CreateBucket",
"s3:Get*",
"s3:List*",
"s3:Put*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::sym-tfstate-AWS_ACCOUNT_ID",
"arn:aws:s3:::sym-tfstate-AWS_ACCOUNT_ID/*"
]
},
{
"Action": [
"dynamodb:CreateTable",
"dynamodb:DeleteItem",
"dynamodb:Describe*",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:List*",
"dynamodb:TagResource",
"dynamodb:UpdateContinuousBackups"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:us-east-1:AWS_ACCOUNT_ID:table/sym-tfstate-AWS_ACCOUNT_ID-lock"
},
{
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:Get*",
"iam:List*",
"iam:Tag*",
"iam:UpdateAssumeRolePolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:policy/sym/*",
"arn:aws:iam::*:role/sym/*"
]
},
{
"Action": [
"secretsmanager:Create*",
"secretsmanager:Describe*",
"secretsmanager:Get*",
"secretsmanager:Put*",
"secretsmanager:Tag*"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:*:*:secret:/symops.com/*"
}
],
"Version": "2012-10-17"
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:GITHUB_ORG/GITHUB_REPO:*"
}
}
}
]
}
{
"Url": "https://token.actions.githubusercontent.com",
"ClientIDList": [
"sts.amazonaws.com"
],
"ThumbprintList": [
"a031c46782e6e6c662c2c87c76da9aa62ccabd8e",
"6938fd4d98bab03faadb97b34396831e3780aea1"
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment