Terraform module that creates an OpenID Connect provider on IAM that allows Gitlab CI pipelines to authenticate in your AWS account.
Initialize the module and get the Role ARN from the outputs.
provider "aws" {
region = var.region
}
module "gitlab_oidc" {
source = "bryan-rhm/gitlab-oidc/aws"
version = "choose the version you need"
gitlab_organization = "YOUR ORGANIZATION OR GITLAB ACCOUNT"
gitlab_repositories = ["*"] # Repositories you want to allow access to AWS, default all repositories inside the organization.
managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"] # Policies you want to attach to the pipeline role.
}
# Role ARN can be accessed with: module.gitlab_oidc.role_arn
Once you have installed the module you will be able authenticate from your gitlab organization using the role created from the module.
After you configure the OIDC and role, the GitLab CI/CD job can retrieve a temporary credential from AWS Security Token Service (STS).
assume-role-example:
image:
name: amazon/aws-cli:latest
entrypoint: [""]
script:
- >
STS=($(aws sts assume-role-with-web-identity
--role-arn ${ROLE_ARN}
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
--web-identity-token $CI_JOB_JWT_V2
--duration-seconds 3600
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
--output text))
- export AWS_ACCESS_KEY_ID="${STS[0]}"
- export AWS_SECRET_ACCESS_KEY="${STS[1]}"
- export AWS_SESSION_TOKEN="${STS[2]}"
- aws sts get-caller-identityCI_JOB_JWT_V2: Predefined variable.
ROLE_ARN: The role ARN created by the module
Connect to cloud services Configure OpenID Connect in AWS to retrieve temporary credentials
| Name | Version |
|---|---|
| terraform | >= 0.13.4 |
| aws | >= 3.43.0 |
| tls | >= 3.4.0 |
| Name | Version |
|---|---|
| aws | 4.20.1 |
| tls | 3.4.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.oidc | resource |
| aws_iam_role.role | resource |
| aws_iam_policy_document.asume_role_policy | data source |
| tls_certificate.certificate | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| gitlab_organization | The Gitlab organization/account to allow access to AWS | string |
n/a | yes |
| gitlab_repositories | The Gitlab repositories inside the organization/account you want to allow access to AWS, default all repositories inside the organization | list(string) |
[ |
no |
| gitlab_tls_url | The TLS URL of the Gitlab provider | string |
"tls://gitlab.com:443" |
no |
| gitlab_url | The URL of the Gitlab provider | string |
"https://gitlab.com" |
no |
| managed_policy_arns | The ARNs of the managed policies to attach to the role | list(string) |
[] |
no |
| role_name | Name of the IAM role | string |
"GitlabCIRole" |
no |
| tags | Tags to apply to all resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| assume_role_policy | Assume role policy, this value can be used to create another role outside this module |
| oidc | Gitlab openid connect provider |
| role_arn | Arn of the IAM role allowed to authenticate to AWS from Gitlab CI |