OpenID Connect

The following snippet will create an OIDC based IAM role for use with 3rd party authentication.

variable "role_name" {
  default = "myrole"
}

variable "principal_arn" {
  default = "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
}

variable "subject" {
  default = "repo:myorg/*"
}

resource "aws_iam_role" "main" {
  name               = var.role_name
  description        = "IAM role for X"
  assume_role_policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Federated": "${var.principal_arn}"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
          "StringEquals": {
            "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
          },
          "StringLike": {
            "token.actions.githubusercontent.com:sub": "${var.subject}"
          }
        }
      }
    ]
  })
}