Zenn
Closed7

【GitHub Actions】OpenID Connectを使用してAWSの認証を行う構成をTerraformで用意する

AWS
GitHub Actions
Terraform
IAM
OIDC
not75743not75743

aws_iam_openid_connect_provider

IDプロバイダ設定としてGitHubActionsを登録します

resourceの場合

resource "aws_iam_openid_connect_provider" "githubactions" {
  url = "https://token.actions.githubusercontent.com"
  client_id_list = ["sts.amazonaws.com"]
  thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}

fingerprintについてはサンプルに記載がありました
https://github.com/aws-actions/configure-aws-credentials/tree/v1.6.0#sample-iam-role-cloudformation-template

dataの場合

既にIDプロバイダとしてGitHubActionsを登録している場合はdataで参照します

data "aws_iam_openid_connect_provider" "githubactions" {
  url = "https://token.actions.githubusercontent.com"
}

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider

not75743not75743

IAMロール

resource "aws_iam_role" "githubactions" {
  name = "githubactions"
  path = "/"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect = "Allow"
      Action = "sts:AssumeRoleWithWebIdentity"
      Principal = {
        Federated = data.aws_iam_openid_connect_provider.githubactions.arn
      }
      Condition = {
        StringLike = {
          "token.actions.githubusercontent.com:sub" = [
            "repo:<account>/<repo>:*"
          ]
        }
      }
    }]
  })
  managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"]
}
このスクラップは2023/06/30にクローズされました