OpenID Connect
The following snippet will create an OIDC based IAM role for use with 3rd party authentication.
variable "role_name" {
default = "myrole"
}
variable "principal_arn" {
default = "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
}
variable "subject" {
default = "repo:myorg/*"
}
resource "aws_iam_role" "main" {
name = var.role_name
description = "IAM role for X"
assume_role_policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "${var.principal_arn}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "${var.subject}"
}
}
}
]
})
}