Terraform Modules for setting up AWS Federated access from Github Actions.
GitHub Action has a functionality that can issue an OpenID Connect token to jobs running on Github Actions. This obviates the need to store any long-lived secrets in Github.
First, we need to set up an AWS IAM OIDC identity provider and an AWS IAM role that Github Actions can assume. This can be done by using this module as shown below:
module "aws_federation_github_actions" {
source = "github.com/rpidanny/aws-federation-github-actions?ref=v1.0.0"
github_org = "rpidanny"
github_repos = ["example-repo"]
iam_role_name = "ExampleGithubRole"
iam_policy_arns = [data.aws_iam_policy.AdministratorAccess.arn]
tags = local.tags
}With this deployed, any jobs in the specified repositories can now assume the IAM Role created above.
The github_org and github_repos ensures that only the repositories you specify can assume the role.
You can specify one or more repositories by adding them to the github_repos array. To grant access to all repositories in your organization, simply omit the github_repos parameter.
Now, this is how you would configure your Github Actions workflow to gain access to AWS.
# .github/workflows/example.yml
name: Example Job
on:
push:
env:
AWS_REGION: eu-central-1
jobs:
aws-access:
name: "AWS Access"
runs-on: ubuntu-latest
timeout-minutes: 5
# This is the block you would need to add.
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for the job to read the repository contents
steps:
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::0123456789012:role/ExampleGithubRole
aws-region: ${{ env.AWS_REGION }}
- run: aws sts get-caller-identityAn example integration can be found here: examples/dog_food
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
github_org |
Name of the github organization you want to allow access to. | string |
n/a | yes |
github_repos |
List of github repositories you want to allow access to. Empty list grants access to all repos. | list(string) |
[] |
no |
iam_role_name |
Name to use when creating the IAM role that GitHub Actions can assume. | string |
n/a | yes |
iam_policy_arns |
List of IAM policy ARNs that is attached to the IAM role. | list(string) |
[] |
no |
tags |
Resource tags. | map(string) |
{} |
no |
| Name | Description |
|---|---|
iam_openid_connect_provider |
The created OpenId Connect provider |
iam_role |
The created IAM Role |