{"id":16810995,"url":"https://github.com/johnf/gitlab-aws-cdk-example","last_synced_at":"2025-06-29T18:04:26.418Z","repository":{"id":257552148,"uuid":"858615291","full_name":"johnf/gitlab-aws-cdk-example","owner":"johnf","description":null,"archived":false,"fork":false,"pushed_at":"2025-01-29T19:02:55.000Z","size":113,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-17T10:51:59.309Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/johnf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-17T08:16:16.000Z","updated_at":"2024-09-30T11:09:57.000Z","dependencies_parsed_at":"2025-03-17T10:42:45.672Z","dependency_job_id":"db9596bc-1b1a-4851-a713-647182f3127c","html_url":"https://github.com/johnf/gitlab-aws-cdk-example","commit_stats":null,"previous_names":["johnf/gitlab-aws-cdk-example"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/johnf/gitlab-aws-cdk-example","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnf%2Fgitlab-aws-cdk-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnf%2Fgitlab-aws-cdk-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnf%2Fgitlab-aws-cdk-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnf%2Fgitlab-aws-cdk-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/johnf","download_url":"https://codeload.github.com/johnf/gitlab-aws-cdk-example/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnf%2Fgitlab-aws-cdk-example/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262642958,"owners_count":23341817,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T10:17:23.243Z","updated_at":"2025-06-29T18:04:26.380Z","avatar_url":"https://github.com/johnf.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Setup AWS to support OIDC in Bitbucket and GitLab\n\nSets up the IAM provider and roles to allow GitLab and Bitbucket to connect without secrets\n\n## Setup a new account\n\n``` bash\nyarn\n\nexport AWS_PROFILE=xxx-dev\nACCOUNT_NUMBER=$(aws sts get-caller-identity | jq -r .Account)\n\n# First time\nnpx cdk --profile \"$AWS_PROFILE\" bootstrap aws://${ACCOUNT_NUMBER}/ap-southeast-2\n\n# Every time\nnpx cdk diff\nnpx cdk deploy\n\n# If you just want cloudformation\nnpx cdk synth GitlabOidcCdkStack  \u003e gitlab.yaml\nnpx cdk synth BitbucketOidcCdkStack  \u003e bitbucket.yaml\n\n## GitLab Setup\n\nAdd something like this to the github CI config\nNOTE: You should define ROLE_ARN in the project settings as the output from the cloudformation stack\n\n```yaml\nassume role:\n  id_tokens:\n    GITLAB_OIDC_TOKEN:\n      aud: sts.amazonaws.com\n  before_script:\n    - \u003e\n      mkdir -p ~/.aws\n      echo \"${MY_OIDC_TOKEN}\" \u003e /tmp/web_identity_token\n      echo -e \"[profile oidc]\\nrole_arn=${ROLE_ARN}\\nweb_identity_token_file=/tmp/web_identity_token\" \u003e ~/.aws/config\n  # NOTE: If any tooling doesn't support AWS config files then you can do the below to get env variables\n  # before_script:\n  #   - \u003e\n  #     export $(printf \"AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s\"\n  #     $(aws sts assume-role-with-web-identity\n  #     --role-arn ${ROLE_ARN}\n  #     --role-session-name \"GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}\"\n  #     --web-identity-token ${GITLAB_OIDC_TOKEN}\n  #     --duration-seconds 3600\n  #     --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'\n  #     --output text))\n  script:\n    - aws sts get-caller-identity\n```\n\n## Bitbucket Setup\n\nGet your domain and audience from Bitbucket and add them to the script\n\nAdd something like this to the Bitbucket pipeline\nNOTE: You should define ROLE_ARN in the project settings as the output from the cloudformation stack\n\n```yaml\npipelines:\n  branches:\n    main:\n      - step:\n          name: Configure AWS credentials\n          oidc: true\n          script:\n            - export AWS_REGION=ap-southeast-2\n            - export AWS_ROLE_ARN=${ROLE_ARN}\n            - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token\n            - echo $BITBUCKET_STEP_OIDC_TOKEN \u003e $(pwd)/web-identity-token\n            - aws sts get-caller-identity\n```\n\n## Useful commands\n\n* `npm run build`   compile typescript to js\n* `npm run watch`   watch for changes and compile\n* `npm run test`    perform the jest unit tests\n* `npx cdk deploy`  deploy this stack to your default AWS account/region\n* `npx cdk diff`    compare deployed stack with current state\n* `npx cdk synth`   emits the synthesized CloudFormation template\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjohnf%2Fgitlab-aws-cdk-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjohnf%2Fgitlab-aws-cdk-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjohnf%2Fgitlab-aws-cdk-example/lists"}