Terraform module to create GitHub OIDC IAM role.
For more information about security hardening your tokens, see About security hardening with OpenID Connect
- Allow all repositories in your organization to use this role and allow the role
ReadOnlyAccessto the account resources
module "github_oidc_role" {
source = "amberhq/github-oidc-iam-role/aws"
version = "x.x.x"
iam_role_name = "github-org-oidc"
oidc_assume_role_condition = "repo:<github-org-name-here>/*:*"
role_policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
}- Allow role to be assumed only by specific repository on a specific branch(example: main)
module "github_oidc_role" {
source = "amberhq/github-oidc-iam-role/aws"
version = "x.x.x"
iam_role_name = "github-repo-main-oidc"
oidc_assume_role_condition = "repo:<github-org-name-here>/<repository>:refs/head/main"
}| Name | Version |
|---|---|
| aws | >= 3.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| iam_role_name | IAM role name | string |
n/a | yes |
| oidc_assume_role_condition | Assume role condition for OIDC role | string |
n/a | yes |
| max_session_duration | Max Session Duration for assumed role in seconds | string |
"3600" |
no |
| role_policy_arns | List of ARNs of IAM policies to attach to the IAM role | list(string) |
[] |
no |
| thumbprint_list | GitHub OIDC Issuer thumbprints | list(string) |
[ |
no |
| Name | Description |
|---|---|
| iam_role_arn | IAM role ARN |
| iam_role_name | IAM role name |