Module to create github oidc integration with AWS.
Initialize the module and get the Role ARN from the outputs.
provider "aws" {
region = var.region
}
module "github_oidc" {
source = "bryan-rhm/github-oidc/aws"
version = "1.0.0"
github_organization = "YOUR ORGANIZATION/GITHUB ACCOUNT"
managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"] # Policies you want to attach to the github role.
}Once you have installed the module you will be able authenticate from your github organization using the role created from the module.
The job or workflow run requires a permissions setting with id-token: write. You won't be able to request the OIDC JWT ID token if the permissions setting for id-token is set to read or none.
permissions:
id-token: writeThe aws-actions/configure-aws-credentials action receives a JWT from the GitHub OIDC provider, and then requests an access token from AWS. For more information, see the AWS documentation.
# Sample workflow to access AWS resources when workflow is tied to branch
# The workflow Creates static website using aws s3
name: AWS example workflow
on:
push
env:
BUCKET_NAME : "<example-bucket-name>"
AWS_REGION : "<example-aws-region>"
# permission can be added at job level or workflow level
permissions:
id-token: write
contents: read # This is required for actions/checkout
jobs:
S3PackageUpload:
runs-on: ubuntu-latest
steps:
- name: Git clone the repository
uses: actions/checkout@v3
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::1234567890:role/example-role
role-session-name: samplerolesession
aws-region: ${{ env.AWS_REGION }}
# Upload a file to AWS s3
- name: Copy index.html to s3
run: |
aws s3 cp ./index.html s3://${{ env.BUCKET_NAME }}/Configuring OpenID Connect in Amazon Web Services
| Name | Version |
|---|---|
| terraform | >= 0.13.4 |
| aws | >= 3.43.0 |
| tls | >= 3.4.0 |
| Name | Version |
|---|---|
| aws | 4.19.0 |
| tls | 3.4.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.oidc | resource |
| aws_iam_role.role | resource |
| aws_iam_policy_document.asume_role_policy | data source |
| tls_certificate.certificate | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| github_organization | The GitHub organization to allow access to | string |
n/a | yes |
| github_repositories | The GitHub repositories inside the organization you want to allow access to | list(string) |
[ |
no |
| github_url | The URL of the GitHub OAuth2 provider | string |
"https://token.actions.githubusercontent.com" |
no |
| managed_policy_arns | The ARNs of the managed policies to attach to the role | list(string) |
[] |
no |
| role_name | Name of the IAM role | string |
"GithubActionsRole" |
no |
| tags | Tags to apply to all resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| assume_role_policy | Assume role policy, this value can be used to create another role outside this module |
| oidc | Github openid connect provider |
| role_arn | Arn of the IAM role allowed to authenticate to AWS from Github actions |