Software development has become a collaborative effort and developers often need to work with multiple platforms to deploy and manage their applications.
OpenId Connect allows you to make authenticated requests to platforms like AWS, can authenticate users and enable secure communication between platforms. AWS IAM OIDC identity providers can be created in an AWS account that uses OIDC to grant role based permissions to clients. Since IAM roles don’t have individual credentials like a user does, it is a more secure connection.
The GitHub OIDC role permits GitHub to request temporary security credentials for access to AWS and has a trust relationship attached to it that allows specified repositories within GitHub to have access to the AWS account. The same applies to the Terraform Cloud identity provider and role.
To create the Identity provider and role for GitHub Actions:
- In AWS, navigate to IAM > Identity Providers > Add provider
- Choose OpenID Connect
- For Provider URL:
https://token.actions.githubusercontent.com - For Audience:
sts.amazonaws.com - Click Get thumbprint to verify the certificate then select Add provider
- The provider will then be added, but now needs a role assigned to it
- In the upper right hand corner, select Assign role
- Choose Create a new role
- The identity provider that was just created will already be selected
- For Audience:
sts.amazonaws.com - Next, choose AdministratorAccess for the permissions
- Click Next until you are at the Review step
- Name the role (
github-actions-deployment-role) and then click Create role - Now navigate to this newly created role and click on the Trust relationships tab
- Make sure the trust relationship looks something like the following which allows GitHub to access the specified AWS account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:<GITHUB_ORG>/<REPOSITORY_NAME>:*"
}
}
}
]
}To create the Identity provider and role for Terraform Cloud:
- Follow the same procedure as the creation of the GitHub Actions identity provider and role, but substitute the following information:
For creating the identity provider:
- For Provider URL:
https://app.terraform.io - For Audience:
aws.workload.identity
For creating the identity provider role:
- For Audience:
aws.workload.identity - Name the role (
terraform-cloud-deployment-role) and then click Create role - Make sure the trust relationship looks something like the following which allows Terraform to access the specified AWS account:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/app.terraform.io"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"app.terraform.io:aud": "aws.workload.identity"
},
"StringLike": {
"app.terraform.io:sub": "organization:<TF_ORGANIZATION>:project:<PROJECT_NAME>:workspace:*:run_phase:*"
}
}
}
]
}Interested in more AWS related services? Check out this article on how to automate deployments to AWS ECS with GitHub Actions.
