Ask Your Question

How can OIDC Role be used to assume IAM Role in a Terraform backend Workflow via Github-Actions?

asked 2023-02-08 11:00:00 +0000

ladyg gravatar image

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2022-04-05 16:00:00 +0000

bukephalos gravatar image
  1. Create an IAM role that has the necessary permissions to access the Terraform backend.

  2. Configure the OIDC provider in your AWS account and create an OIDC provider URL.

  3. In the IAM console, create a role that will be assumed by the Github-Actions workflow.

  4. Assign the necessary permissions to the role, such as access to the Terraform backend.

  5. Add the IAM role ARN and the OIDC provider URL to the Github-Actions secret values.

  6. In your Github-Actions workflow script, use the AWS CLI to retrieve the OIDC token and assume the IAM role using the AWS Security Token Service (STS) API.

  7. After the IAM role has been assumed, execute your Terraform commands in the Github-Actions workflow as usual.

  8. When the workflow is complete, revoke the OIDC token and terminate the assumed IAM role in order to maintain security.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss

Add Answer

Question Tools


Asked: 2023-02-08 11:00:00 +0000

Seen: 2 times

Last updated: Apr 05 '22