An open API service indexing awesome lists of open source software.

https://github.com/rpidanny/aws-federation-github-actions

A terraform module that setups up federated AWS access from Github Actions
https://github.com/rpidanny/aws-federation-github-actions

aws aws-federation aws-openid-provider gha-id-token github-id-token

Last synced: 8 months ago
JSON representation

A terraform module that setups up federated AWS access from Github Actions

Awesome Lists containing this project

README

          

# aws-federation-github-actions

![alt text](docs/aws-federation.png)

> Terraform Modules for setting up AWS Federated access from Github Actions.

GitHub Action has a functionality that can [issue an OpenID Connect token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) to jobs running on Github Actions. This obviates the need to store any long-lived secrets in Github.

## Usage

### Configure AWS

First, we need to set up an AWS IAM OIDC identity provider and an AWS IAM role that Github Actions can assume. This can be done by using this module as shown below:

```hcl
module "aws_federation_github_actions" {
source = "github.com/rpidanny/aws-federation-github-actions?ref=v1.0.0"

github_org = "rpidanny"
github_repos = ["example-repo"]

iam_role_name = "ExampleGithubRole"
iam_policy_arns = [data.aws_iam_policy.AdministratorAccess.arn]

tags = local.tags
}
```

With this deployed, any jobs in the specified repositories can now assume the IAM Role created above.

The `github_org` and `github_repos` ensures that only the repositories you specify can assume the role.

You can specify one or more repositories by adding them to the `github_repos` array. To grant access to all repositories in your organization, simply omit the `github_repos` parameter.

### Configure GitHub Actions Workflow

Now, this is how you would configure your Github Actions workflow to gain access to AWS.

```yml
# .github/workflows/example.yml
name: Example Job

on:
push:

env:
AWS_REGION: eu-central-1

jobs:
aws-access:
name: "AWS Access"
runs-on: ubuntu-latest
timeout-minutes: 5

# This is the block you would need to add.
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for the job to read the repository contents

steps:
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::0123456789012:role/ExampleGithubRole
aws-region: ${{ env.AWS_REGION }}

- run: aws sts get-caller-identity
```

## Example

An example integration can be found here: [examples/dog_food](examples/dog_food)

## Module Inputs

| Name | Description | Type | Default | Required |
| ----------------- | ----------------------------------------------------------------------------------------------- | -------------- | ------- | :------: |
| `github_org` | Name of the github organization you want to allow access to. | `string` | n/a | yes |
| `github_repos` | List of github repositories you want to allow access to. Empty list grants access to all repos. | `list(string)` | `[]` | no |
| `iam_role_name` | Name to use when creating the IAM role that GitHub Actions can assume. | `string` | n/a | yes |
| `iam_policy_arns` | List of IAM policy ARNs that is attached to the IAM role. | `list(string)` | `[]` | no |
| `tags` | Resource tags. | `map(string)` | `{}` | no |

## Module Outputs

| Name | Description |
| ----------------------------- | ----------------------------------- |
| `iam_openid_connect_provider` | The created OpenId Connect provider |
| `iam_role` | The created IAM Role |