Terraform AWS GitHub OIDC Provider

This Terraform module enables you to configure GitHub Actions as an AWS IAM OIDC identity provider in AWS, which enables GitHub Actions to access resources within an AWS account(s) without requiring long-lived credentials to be stored as GitHub secrets.

Prerequisites

• AWS Account(s) and credentials
• GitHub repository
• Terraform >= 1.x
• ...
• Profit?

Deployment / Usage

provider "aws" {
  region = var.region
}

module "github_oidc" {
  source  = "saidsef/github-oidc/aws"
  version = "~> 2"

  attach_read_only_policy = true
  github_organisation     = "saidsef"
  github_repositories     = [{
    name = "terraform-aws-github-oidc",
    branches = ["main", "pr-*", "*pull*", "*"]
  }]
  tags                    = var.tags
}

Provider Specifications and Requirements

Please see TERRAFORM.md

GitHub Actions

Retrieve temporary credentials:

terraform-aws-github-oidc/.github/workflows/ci.yaml

Lines 80 to 96 in 89b5f02

	caller-identity-check:
	if: contains(github.event_name, 'pull_request')
	name: Return the IAM user
	needs: [validate, tfsec]
	permissions:
	contents: read
	id-token: write
	runs-on: ubuntu-latest
	steps:
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v2.2.0
	with:
	aws-region: ${{ secrets.AWS_REGION }}
	role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions
	role-session-name: ${{ github.event.repository.name }}-${{ github.ref_type }}
	- run: |
	aws sts get-caller-identity

Source

Our latest and greatest source of terraform-aws-github-oidc can be found on GitHub. Fork us!

Contributing

We would ❤️ you to contribute by making a pull request.

Please read the official Contribution Guide for more information on how you can contribute.

License