{"id":16278040,"url":"https://github.com/rpidanny/aws-federation-github-actions","last_synced_at":"2025-10-28T02:32:54.404Z","repository":{"id":80496502,"uuid":"552210606","full_name":"rpidanny/aws-federation-github-actions","owner":"rpidanny","description":"A terraform module that setups up federated AWS access from Github Actions","archived":false,"fork":false,"pushed_at":"2023-04-25T19:53:20.000Z","size":372,"stargazers_count":5,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-05-31T08:20:24.662Z","etag":null,"topics":["aws","aws-federation","aws-openid-provider","gha-id-token","github-id-token"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rpidanny.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-16T04:10:48.000Z","updated_at":"2023-04-22T12:24:17.000Z","dependencies_parsed_at":null,"dependency_job_id":"868c784c-7788-4061-a479-8d32cb3b2787","html_url":"https://github.com/rpidanny/aws-federation-github-actions","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/rpidanny/aws-federation-github-actions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rpidanny%2Faws-federation-github-actions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rpidanny%2Faws-federation-github-actions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rpidanny%2Faws-federation-github-actions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rpidanny%2Faws-federation-github-actions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rpidanny","download_url":"https://codeload.github.com/rpidanny/aws-federation-github-actions/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rpidanny%2Faws-federation-github-actions/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275881571,"owners_count":25545398,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-19T02:00:09.700Z","response_time":108,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-federation","aws-openid-provider","gha-id-token","github-id-token"],"created_at":"2024-10-10T18:57:09.811Z","updated_at":"2025-10-28T02:32:54.397Z","avatar_url":"https://github.com/rpidanny.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# aws-federation-github-actions\n\n![alt text](docs/aws-federation.png)\n\n\u003e Terraform Modules for setting up AWS Federated access from Github Actions.\n\nGitHub Action has a functionality that can [issue an OpenID Connect token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) to jobs running on Github Actions. This obviates the need to store any long-lived secrets in Github.\n\n## Usage\n\n### Configure AWS\n\nFirst, we need to set up an AWS IAM OIDC identity provider and an AWS IAM role that Github Actions can assume. This can be done by using this module as shown below:\n\n```hcl\nmodule \"aws_federation_github_actions\" {\n  source = \"github.com/rpidanny/aws-federation-github-actions?ref=v1.0.0\"\n\n  github_org   = \"rpidanny\"\n  github_repos = [\"example-repo\"]\n\n  iam_role_name   = \"ExampleGithubRole\"\n  iam_policy_arns = [data.aws_iam_policy.AdministratorAccess.arn]\n\n  tags = local.tags\n}\n```\n\nWith this deployed, any jobs in the specified repositories can now assume the IAM Role created above.\n\nThe `github_org` and `github_repos` ensures that only the repositories you specify can assume the role.\n\nYou can specify one or more repositories by adding them to the `github_repos` array. To grant access to all repositories in your organization, simply omit the `github_repos` parameter.\n\n### Configure GitHub Actions Workflow\n\nNow, this is how you would configure your Github Actions workflow to gain access to AWS.\n\n```yml\n# .github/workflows/example.yml\nname: Example Job\n\non:\n  push:\n\nenv:\n  AWS_REGION: eu-central-1\n\njobs:\n  aws-access:\n    name: \"AWS Access\"\n    runs-on: ubuntu-latest\n    timeout-minutes: 5\n\n    # This is the block you would need to add.\n    permissions:\n      id-token: write # This is required for requesting the JWT\n      contents: read # This is required for the job to read the repository contents\n\n    steps:\n      - name: configure aws credentials\n        uses: aws-actions/configure-aws-credentials@v1\n        with:\n          role-to-assume: arn:aws:iam::0123456789012:role/ExampleGithubRole\n          aws-region: ${{ env.AWS_REGION }}\n\n      - run: aws sts get-caller-identity\n```\n\n## Example\n\nAn example integration can be found here: [examples/dog_food](examples/dog_food)\n\n## Module Inputs\n\n| Name              | Description                                                                                     | Type           | Default | Required |\n| ----------------- | ----------------------------------------------------------------------------------------------- | -------------- | ------- | :------: |\n| `github_org`      | Name of the github organization you want to allow access to.                                    | `string`       | n/a     |   yes    |\n| `github_repos`    | List of github repositories you want to allow access to. Empty list grants access to all repos. | `list(string)` | `[]`    |    no    |\n| `iam_role_name`   | Name to use when creating the IAM role that GitHub Actions can assume.                          | `string`       | n/a     |   yes    |\n| `iam_policy_arns` | List of IAM policy ARNs that is attached to the IAM role.                                       | `list(string)` | `[]`    |    no    |\n| `tags`            | Resource tags.                                                                                  | `map(string)`  | `{}`    |    no    |\n\n## Module Outputs\n\n| Name                          | Description                         |\n| ----------------------------- | ----------------------------------- |\n| `iam_openid_connect_provider` | The created OpenId Connect provider |\n| `iam_role`                    | The created IAM Role                |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frpidanny%2Faws-federation-github-actions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frpidanny%2Faws-federation-github-actions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frpidanny%2Faws-federation-github-actions/lists"}