This Terraform module provisions AWS OpenID Connect (OIDC) identity provider and IAM roles to enable secure, keyless authentication between GitHub Actions workflows and AWS services. By using OIDC, you can eliminate the need to store long-lived AWS credentials as GitHub secrets, improving security and following AWS best practices.
The module creates the necessary AWS resources to establish trust between GitHub's OIDC provider and your AWS account, allowing GitHub Actions to assume IAM roles and access AWS services during workflow execution. This approach provides temporary, scoped credentials that are automatically rotated and follow the principle of least privilege.
- Creates AWS OIDC identity provider for GitHub Actions
- Configures IAM roles with customizable trust policies
- Supports multiple GitHub repositories and organizations
- Enables secure, temporary credential access without stored secrets
- Follows AWS security best practices for CI/CD authentication
name: AWS ECR Pipeline
on:
push:
branches:
- main
- feat.*
jobs:
deploy:
name: deploy
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME }} # OIDC Role ARN
aws-region: us-west-2
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
... # See examples directory for working examples to reference:
locals {
region = "us-west-2"
role_name = "github-actions-oidc"
role_description = "IAM Role for GitHub Actions OIDC Federation"
max_session_duration = 3600
github_repositories = ["drizzle-ai-systems/terraform-aws-oidc-github-actions"] # List of repositories or orgs
policy_arns = [
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" # Example policy ARN; replace with least privilege policies as needed
]
thumbprint_list = [
"6938fd4d98bab03faadb97b34396831e3780aea1" # Current GitHub's OIDC thumbprint
]
tags = {
Example = local.role_name
GithubRepo = "terraform-aws-oidc-github-actions"
GithubOrg = "drizzle-ai-systems"
}
}
################################################################################
# AWS GitHub Actions OIDC Module
################################################################################
module "aws_gha_oidc" {
source = "../../"
github_repositories = local.github_repositories
thumbprint_list = local.thumbprint_list
role_description = local.role_description
max_session_duration = local.max_session_duration
role_name = local.role_name
policy_arns = local.policy_arns
tags = local.tags
}
Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 6.0 |
| Name | Version |
|---|---|
| aws | >= 6.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.github_actions | resource |
| aws_iam_role.oidc_role | resource |
| aws_iam_role_policy_attachment.oidc_role_attach_policies | resource |
| aws_iam_policy_document.oidc_role_assume_role_policy | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| github_repositories | GitHub repository identifiers in the format 'org/repo' or 'org/*' for all repositories in an organization. Supports single or multiple repositories/orgs. | list(string) |
n/a | yes |
| max_session_duration | The maximum session duration (in seconds) for the IAM role. | number |
3600 |
no |
| policy_arns | A list of IAM policy ARNs to attach to the role. You almost always want to attach policies | list(string) |
[] |
no |
| role_description | The description of the OIDC Github Actions IAM role. | string |
"IAM role for GitHub Actions OIDC federation" |
no |
| role_name | The name of the IAM role. | string |
"github-actions-oidc-role" |
no |
| tags | (Optional) A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. | map(string) |
{} |
no |
| thumbprint_list | A list of thumbprints for the OIDC provider. | list(string) |
[ |
no |
| Name | Description |
|---|---|
| oidc_provider_arn | OIDC provider ARN |
| role_arn | The ARN of the created IAM role for GitHub Actions. |
Apache-2.0 Licensed. See LICENSE.
