{"id":31885331,"url":"https://github.com/opszero/terraform-aws-oidc-gitlab","last_synced_at":"2026-02-16T23:37:08.515Z","repository":{"id":315013907,"uuid":"1057721926","full_name":"opszero/terraform-aws-oidc-gitlab","owner":"opszero","description":null,"archived":false,"fork":false,"pushed_at":"2025-11-24T19:26:08.000Z","size":44,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-11-28T07:31:05.807Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/opszero.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":"SUPPORT","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["abhiyerra"],"custom":["https://www.opszero.com"]}},"created_at":"2025-09-16T05:58:52.000Z","updated_at":"2025-11-24T19:26:11.000Z","dependencies_parsed_at":"2025-09-16T08:25:47.975Z","dependency_job_id":"deaf4dfc-6dad-4888-8b54-b2d5ee4143f3","html_url":"https://github.com/opszero/terraform-aws-oidc-gitlab","commit_stats":null,"previous_names":["opszero/terraform-aws-oidc-gitlab"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/opszero/terraform-aws-oidc-gitlab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-oidc-gitlab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-oidc-gitlab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-oidc-gitlab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-oidc-gitlab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/opszero","download_url":"https://codeload.github.com/opszero/terraform-aws-oidc-gitlab/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-oidc-gitlab/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29524334,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-16T21:45:09.491Z","status":"ssl_error","status_checked_at":"2026-02-16T21:44:58.452Z","response_time":115,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-13T04:56:35.770Z","updated_at":"2026-02-16T23:37:08.508Z","avatar_url":"https://github.com/opszero.png","language":"HCL","funding_links":["https://github.com/sponsors/abhiyerra","https://www.opszero.com"],"categories":[],"sub_categories":[],"readme":"## AWS federation for GitLab Using OIDC \n\nThis is a Terraform module to configure GitLab as an IAM OIDC identity provider in AWS. It enables GitLab to access resources within an AWS account without requiring AWS credentials.\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| terraform | ~\u003e 1.0 |\n| aws | ~\u003e 4.0 |\n| tls |    3.3.0 |\n\n## Installation and usage\n\nThe following snippet shows the minimum required configuration to create a working OIDC connection between GitLab and AWS.\n\n```bash\nprovider \"aws\" {\n  region = var.aws_region\n}\n\nmodule \"aws_oidc_gitlab\" {\n  for_each = var.gitlab\n  source   = \"../../\"\n\n  iam_role_name        = \"gitlab_action_oidc_aws\"\n  attach_admin_policy  = true\n  create_oidc_provider = true\n  iam_policy_arns      = []\n  gitlab_url           = \"https://gitlab.com\"\n  audience             = \"https://gitlab.com\"\n  match_field          = each.value.match_field\n  match_value          = each.value.match_value\n}\n```\n## Input Variables\n\n\u003cul\u003e\n\u003cli\u003e \u003ccode\u003eattach_admin_policy\u003c/code\u003e is the flag to enable or disable the attachment of the AdministratorAccess policy to the IAM role. \u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eaws_managed_policy_arns\u003c/code\u003e is a list of AWS Managed IAM policy ARNs to attach to the IAM role such as S3FullAccess \u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egitlab_url\u003c/code\u003e is the address of your GitLab instance, such as https://gitlab.com or http://gitlab.example.com. \u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eaudience\u003c/code\u003e is the same as \u003ccode\u003egitlab_url\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ematch_value\u003c/code\u003e It should be your Gitlab Instance URl such as https://gitlab.example.com or a filter to a specific gitlab group, branch or tag such as project_path:mygroup/myproject:ref_type:branch:ref:main.  \u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ematch_field\u003c/code\u003e If you use a filter to specific GitLab group, branch or tag as \u003ccode\u003ematch_value\u003c/code\u003e, use \u003ccode\u003esub\u003c/code\u003e. Use \u003ccode\u003eaud\u003c/code\u003e if you use GitLab instance url such as https://gitlab.com as \u003ccode\u003e match_value \u003c/code\u003e \u003c/li\u003e\n\u003c/ul\u003e\n\n## Explanation For \u003ccode\u003ematch_value\u003c/code\u003e And \u003ccode\u003ematch-field\u003c/code\u003e\n\nBy default, any GitLab user would be able to assume the role if he knows this IAM role's ARN. So, we need to lock it down by adding a condition in the assume-role policy document. Go to the tab Trust relationships and replace the existing condition with:\n\nHere is how I declare the conditions in the module configuration.\n\n```bash\n    condition {\n      test     = \"StringEquals\"\n      values   = var.match_value\n      variable = \"${aws_iam_openid_connect_provider.gitlab[0].url}:${var.match_field}\"\n    }\n```    \nBelow condition allows any GitLab project to retrieve temporary credentials from AWS Security Token Service (STS). Use \u003ccode\u003eaud\u003c/code\u003e if you use GitLab instance url such as https://gitlab.com as \u003ccode\u003e match_value \u003c/code\u003e. \u003ccode\u003eaud\u003c/code\u003e means the URL of the GitLab instance. This is defined when the identity provider is first configured in your cloud provider.\n\n```bash\n    condition {\n      test     = \"StringEquals\"\n      values   = var.match_value # https//gitlab.com\n      variable = \"${aws_iam_openid_connect_provider.gitlab[0].url}:${var.match_field}\" # gitlab.com:aud\n    }\n```\nTrusted Entities look liks\n```bash\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"Federated\": \"arn:aws:iam::585584209241:oidc-provider/gitlab.com\"\n            },\n            \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n            \"Condition\": {\n                \"StringEquals\": {\n                    \"gitlab.com:aud\": \"https://gitlab.com\"\n                }\n            }\n        }\n    ]\n}\n```\n\n\u003ccode\u003esub\u003c/code\u003e is a concatenation of metadata describing the GitLab CI/CD workflow including the group, project, branch, and tag. The sub field is in the following format:\n\nproject_path:{gitlab_group_id}/{project_name}:ref_type:{type}:ref:{branch_name}\n\n| Filter | Example | \n|--------|---------|\n| Filter to main branch | \tproject_path:mygroup/myproject:ref_type:branch:ref:main |\n| Filter to any branch | \tWildcard supported. project_path:mygroup/myproject:ref_type:branch:ref:* | \n| Filter to specific project | \tproject_path:mygroup/myproject:ref_type:branch:ref:main |\n| Filter to all projects under a group | Wildcard supported. project_path:mygroup/*:ref_type:branch:ref:main |\n| Filter to a Git tag | Wildcard supported. project_path:mygroup/*:ref_type:tag:ref:1.0 |\n\nTrusted Entities look like\n\n```bash\n            \"Condition\": {\n                \"StringEquals\": {\n                    \"gitlab.com:sub\": \"project_path:{group_id}/{project_name}:ref_type:branch:ref:main\n                }\n            }\n```            \n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| gitlab_url | The address of your GitLab instance, such as https://gitlab.com or http://gitlab.example.com. | `string` | `\"https://gitlab.com\"` | yes |\n| audience | The address of your GitLab instance, such as https://gitlab.com or http://gitlab.example.com. | `string` | `\"https://gitlab.com\"` | yes |\n| iam\\_role\\_policy\\_arns | List of IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | optional |\n| create\\_oidc\\_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | yes |\n| match\\_field | Issuer, the domain of your GitLab instance. Change to sub if you want to use the filter to any project | `string` | aud | yes |\n| match\\_value | It should be your Gitab Instance URl by default. But if you want to use filer to a specific group, branch or tag, use this format project_path:mygroup/myproject:ref_type:branch:ref:main  | `list` | GitLab Instance URL | yes |\n\n## Optional Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| attach\\_admin\\_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no |\n| iam\\_role\\_name | Name of the IAM role to be created. This will be assumable by GitLab. | `string` | `\"gitlab_action_role\"` | no |\n| iam\\_role\\_path | Path under which to create IAM role. | `string` | `\"/\"` | no |\n| max\\_session\\_duration | Maximum session duration in seconds. | `number` | `3600` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| iam\\_role\\_arn | ARN of the IAM role. |\n\n## .gitlab-ci.yml\n\n```bash\nvariables:\n  REGION: us-east-1\n  ROLE_ARN:  arn:aws:iam::${AWS_ACCOUNT_ID}:role/gitlab_action_role\n\nimage: \n  name: amazon/aws-cli:latest\n  entrypoint: \n    - '/usr/bin/env'\n\nassume role:\n    script:\n        - \u003e\n          STS=($(aws sts assume-role-with-web-identity\n          --role-arn ${ROLE_ARN}\n          --role-session-name \"GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}\"\n          --web-identity-token $CI_JOB_JWT_V2\n          --duration-seconds 3600\n          --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'\n          --output text))\n        - export AWS_ACCESS_KEY_ID=\"${STS[0]}\"\n        - export AWS_SECRET_ACCESS_KEY=\"${STS[1]}\"\n        - export AWS_SESSION_TOKEN=\"${STS[2]}\"\n        - export AWS_REGION=\"$REGION\"\n        - aws sts get-caller-identity\n        - aws s3 ls\n        - aws iam list-users\n```\n##  Outputs \n\n![gitlabci_output](https://raw.githubusercontent.com/thaunghtike-share/mytfdemo/main/aws_console_outputs_photos/gitlabci_oidc.png)\n\n## References\n\n- [Configure OpenID Connect in AWS to retrieve temporary credentials\n](https://docs.gitlab.com/ee/ci/cloud_services/aws/)\n- [Connect to cloud services\n](https://docs.gitlab.com/ee/ci/cloud_services/index.html#configure-a-conditional-role-with-oidc-claims)\n\n## License\n\n© 2021 [Daniel Morris](https://unfun.co)  \nMade available under the terms of the [Apache License 2.0].\n\n[Apache License 2.0]: LICENSE.md\n[Complete example]: examples/complete\n[Configuring OpenID Connect in Amazon Web Services]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services\n[Creating OpenID Connect (OIDC) identity providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html\n[Make]: https://www.gnu.org/software/make/\n[Obtaining the thumbprint for an OpenID Connect Identity Provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html\n[Terraform]: https://www.terraform.io\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopszero%2Fterraform-aws-oidc-gitlab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopszero%2Fterraform-aws-oidc-gitlab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopszero%2Fterraform-aws-oidc-gitlab/lists"}