Move general OIDC section above ESC

pulumi · Dec 5, 2023 · 16379d4 · 16379d4
1 parent 2957889
commit 16379d4
Showing 1 changed file with 27 additions and 26 deletions.
diff --git a/themes/default/content/registry/packages/aws/installation-configuration.md b/themes/default/content/registry/packages/aws/installation-configuration.md
@@ -197,6 +197,33 @@ you need to do either of the following
     provider = pulumi_aws.Provider('named-provider', skip_metadata_api_check=False)
     ```
 
+
+### Authenticate with WebIdentity and OpenID Connect (OIDC)
+
+In this approach, you configure an AWS role to assume and a source for a web identity token, which is an OIDC ID token. The token is used to authenticate with AWS and obtain temporary credentials. The temporary credentials are then used to access AWS resources. This mode of authentication allows you to run Pulumi on a service that supports OIDC like GitHub, GitLab, or Azure DevOps, and access AWS without storing credentials.
+
+Please refer to the AWS docs [About web identity federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html) and [Assume role with web identity](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-oidc) for more details. Also, refer to the particular service's documentation for how to configure the OIDC trust relationship, which is a one-time setup.
+
+If your Pulumi program runs on GitHub, you don't need to configure the identity token in most cases. Amazon have published [GitHub workflows action `configure-aws-credentials`](https://github.com/aws-actions/configure-aws-credentials/tree/v4/#OIDC) which handles the token. You only configure the role to assume in your GitHub workflow definition:
+```yaml
+  uses: aws-actions/configure-aws-credentials@v4
+  with:
+    aws-region: ${{ env.AWS_REGION }}
+    role-session-name: <NAME>
+    role-to-assume: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>
+```
+
+In other cases, you will need to configure the `assumeRoleWithWebIdentity` object documented in the [Configuration options](#configuration-options) section of this page. At a minimum, you will need to define the role to assume and the source of the token. In Pulumi config it should look this:
+```yaml
+config:
+  aws:assumeRoleWithWebIdentity:
+    roleArn: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>
+    # Define either webIdentityToken or webIdentityTokenFile
+    webIdentityToken: <your-web-identity-token>
+    webIdentityTokenFile: webidentitytokenfile.txt
+```
+
+
 ### Dynamically generate credentials via Pulumi ESC
 
 In addition to configuring the AWS provider locally, you also have the option to centralize your configurations using [Pulumi ESC (Environments, Secrets, and Configuration)](/docs/pulumi-cloud/esc/). Using this service will enable you to run AWS or Pulumi CLI commands with dynamically generated credentials, removing the need to configure and manage your credentials locally.
@@ -294,32 +321,6 @@ Make sure that your local environment does not have AWS credentials configured b
 To learn more about projecting environment variables in Pulumi ESC, refer to the [relevant Pulumi ESC documentation](/docs/pulumi-cloud/esc/environments/#projecting-environment-variables).
 
 
-### Authenticate with WebIdentity and OpenID Connect (OIDC)
-
-In this approach, you configure an AWS role to assume and a source for a web identity token, which is an OIDC ID token. The token is used to authenticate with AWS and obtain temporary credentials. The temporary credentials are then used to access AWS resources. This mode of authentication allows you to run Pulumi on a service that supports OIDC like GitHub, GitLab, or Azure DevOps, and access AWS without storing credentials.
-
-Please refer to the AWS docs [About web identity federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html) and [Assume role with web identity](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-oidc) for more details. Also, refer to the particular service's documentation for how to configure the OIDC trust relationship, which is a one-time setup.
-
-If your Pulumi program runs on GitHub, you don't need to configure the identity token in most cases. Amazon have published [GitHub workflows action `configure-aws-credentials`](https://github.com/aws-actions/configure-aws-credentials/tree/v4/#OIDC) which handles the token. You only configure the role to assume in your GitHub workflow definition:
-```yaml
-  uses: aws-actions/configure-aws-credentials@v4
-  with:
-    aws-region: ${{ env.AWS_REGION }}
-    role-session-name: <NAME>
-    role-to-assume: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>
-```
-
-In other cases, you will need to configure the `assumeRoleWithWebIdentity` object documented in the [Configuration options](#configuration-options) section of this page. At a minimum, you will need to define the role to assume and the source of the token. In Pulumi config it should look this:
-```yaml
-config:
-  aws:assumeRoleWithWebIdentity:
-    roleArn: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>
-    # Define either webIdentityToken or webIdentityTokenFile
-    webIdentityToken: <your-web-identity-token>
-    webIdentityTokenFile: webidentitytokenfile.txt
-```
-
-
 ## Configuration options
 
 Use `pulumi config set aws:<option>` or pass options to the [constructor of `new aws.Provider`](../api-docs/provider).