https://github.com/rpidanny/aws-federation-github-actions
A terraform module that setups up federated AWS access from Github Actions
https://github.com/rpidanny/aws-federation-github-actions
aws aws-federation aws-openid-provider gha-id-token github-id-token
Last synced: 8 months ago
JSON representation
A terraform module that setups up federated AWS access from Github Actions
- Host: GitHub
- URL: https://github.com/rpidanny/aws-federation-github-actions
- Owner: rpidanny
- Created: 2022-10-16T04:10:48.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2023-04-25T19:53:20.000Z (about 3 years ago)
- Last Synced: 2025-05-31T08:20:24.662Z (about 1 year ago)
- Topics: aws, aws-federation, aws-openid-provider, gha-id-token, github-id-token
- Language: HCL
- Homepage:
- Size: 363 KB
- Stars: 5
- Watchers: 2
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
# aws-federation-github-actions

> Terraform Modules for setting up AWS Federated access from Github Actions.
GitHub Action has a functionality that can [issue an OpenID Connect token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) to jobs running on Github Actions. This obviates the need to store any long-lived secrets in Github.
## Usage
### Configure AWS
First, we need to set up an AWS IAM OIDC identity provider and an AWS IAM role that Github Actions can assume. This can be done by using this module as shown below:
```hcl
module "aws_federation_github_actions" {
source = "github.com/rpidanny/aws-federation-github-actions?ref=v1.0.0"
github_org = "rpidanny"
github_repos = ["example-repo"]
iam_role_name = "ExampleGithubRole"
iam_policy_arns = [data.aws_iam_policy.AdministratorAccess.arn]
tags = local.tags
}
```
With this deployed, any jobs in the specified repositories can now assume the IAM Role created above.
The `github_org` and `github_repos` ensures that only the repositories you specify can assume the role.
You can specify one or more repositories by adding them to the `github_repos` array. To grant access to all repositories in your organization, simply omit the `github_repos` parameter.
### Configure GitHub Actions Workflow
Now, this is how you would configure your Github Actions workflow to gain access to AWS.
```yml
# .github/workflows/example.yml
name: Example Job
on:
push:
env:
AWS_REGION: eu-central-1
jobs:
aws-access:
name: "AWS Access"
runs-on: ubuntu-latest
timeout-minutes: 5
# This is the block you would need to add.
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for the job to read the repository contents
steps:
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::0123456789012:role/ExampleGithubRole
aws-region: ${{ env.AWS_REGION }}
- run: aws sts get-caller-identity
```
## Example
An example integration can be found here: [examples/dog_food](examples/dog_food)
## Module Inputs
| Name | Description | Type | Default | Required |
| ----------------- | ----------------------------------------------------------------------------------------------- | -------------- | ------- | :------: |
| `github_org` | Name of the github organization you want to allow access to. | `string` | n/a | yes |
| `github_repos` | List of github repositories you want to allow access to. Empty list grants access to all repos. | `list(string)` | `[]` | no |
| `iam_role_name` | Name to use when creating the IAM role that GitHub Actions can assume. | `string` | n/a | yes |
| `iam_policy_arns` | List of IAM policy ARNs that is attached to the IAM role. | `list(string)` | `[]` | no |
| `tags` | Resource tags. | `map(string)` | `{}` | no |
## Module Outputs
| Name | Description |
| ----------------------------- | ----------------------------------- |
| `iam_openid_connect_provider` | The created OpenId Connect provider |
| `iam_role` | The created IAM Role |