Skip to main content
Security Modules 0.75.11Last updated in version 0.75.11

OpenID Connect Provider for GitHub Actions

View Source Release Notes

This module creates an OpenID Connect Provider for GitHub Actions. This allows you to use GitHub Actions as an identity provider for your AWS account. This is useful if you want to use GitHub Actions to deploy your infrastructure. By using OpenID Connect, GitHub Actions can directly exchange credentials to access AWS without having to store and provide GitHub with permanent AWS access credentials. This is useful to prevent credential leaks from progressing undetected.

Creating the Provider

module "github_actions_openid_connect_provider" {
  # Update <VERSION> with latest version of the module
  source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/github-actions-openid-connect-provider?ref=<VERSION>"

  allowed_organizations = [
    "gruntwork-io",
  ]
}

Security Considerations

The allowed_organizations parameter is a list of GitHub organizations that are allowed to authenticate with the OpenID Connect Provider. This is a security measure to ensure that only users from the specified organizations can authenticate with the OpenID Connect Provider. In addition to this security measure, you should also ensure that all IAM roles associated with the OpenID Connect Provider have the appropriate trust policy to only allow assumption of the role by the appropriate GitHub Repos on the appropriate refs.

See the GitHub Actions IAM Role module for more information.

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S GITHUB-ACTIONS-OPENID-CONNECT-PROVIDER MODULE
# ------------------------------------------------------------------------------------------------------

module "github_actions_openid_connect_provider" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/github-actions-openid-connect-provider?ref=v0.75.11"

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # List of additional thumbprints for the OIDC provider.
  additional_thumbprints = null

  # List of github organizations that are allowed to assume IAM roles in the
  # account. Set either this or `audiences`; audiences wins if both are set.
  allowed_organizations = []

  # List of fully formed URLs to set as audiences that are allowed to assume IAM
  # roles in the account. Set either this or `allowed_organizations`; audiences
  # wins if both are set.
  audiences = []

}


Reference

Optional

additional_thumbprintslist(string)optional

List of additional thumbprints for the OIDC provider.

null
allowed_organizationslist(string)optional

List of github organizations that are allowed to assume IAM roles in the account. Set either this or audiences; audiences wins if both are set.

[]
audienceslist(string)optional

List of fully formed URLs to set as audiences that are allowed to assume IAM roles in the account. Set either this or allowed_organizations; audiences wins if both are set.

[]