Skip to content

AWS

To use Terrateam with AWS, authentication and authorization need to be configured against your AWS account. Setup only takes a minute.

OpenID Connect (OIDC)

What is OIDC

OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in AWS, without having to store any credentials as long-lived GitHub secrets.

A Terraform module and a CloudFormation template are available to easily create all of the AWS resources that Terrateam requires. Choose the setup method you’re most comfortable with.

  1. main.tf

    module "terraform_aws_terrateam_setup" {
      source               = "github.com/terrateamio/terraform-aws-terrateam-setup"
      github_org           = "GITHUB_ORG"
      aws_policy_arn       = "arn:aws:iam::aws:policy/PowerUserAccess"
      aws_iam_role_name    = "terrateam"
      create_oidc_provider = true
    }

  2. Apply changes

    terraform apply

Configure Terrateam for OIDC

Create the .terrateam/config.yml configuration file at the root of your Terraform repository.

hooks:
  all:
    pre:
      - type: oidc
        provider: aws
        role_arn: "arn:aws:iam::AWS_ACCOUNT_ID:role/terrateam"

Manual instructions

Follow the instructions below to manually configure AWS for Terrateam authentication and authorization.

Expand for step-by-step OIDC and static credentials instructions

  1. Create the OIDC provider in AWS

    Terminal window
    aws iam create-open-id-connect-provider \
    --url https://token.actions.githubusercontent.com \
    --client-id-list sts.amazonaws.com --thumbprint-list \
    6938fd4d98bab03faadb97b34396831e3780aea1 \
    1c58a3a8518e8759bf075b76b750d4f2df264fcd

  2. Create a local file on your workstation named trustpolicy.json

    This file will define the policy to be used to allow AWS to trust GitHub’s OIDC as a federated identity. You must update the example file below with your own values. Replace AWS_ACCOUNT_ID and GITHUB_ORG.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com"
          },
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringLike": {
              "token.actions.githubusercontent.com:sub":
                "repo:GITHUB_ORG/*"
            },
            "StringEquals": {
              "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
            }
          }
        }
      ]
    }

  3. Create a terrateam IAM role using the newly created trustpolicy.json

    Terminal window
    aws iam create-role \
    --role-name terrateam \
    --assume-role-policy-document file://trustpolicy.json

  4. Attach the PowerUserAccess IAM policy or another policy of your choosing

    Terminal window
    aws iam attach-role-policy \
    --policy-arn arn:aws:iam::aws:policy/PowerUserAccess \
    --role-name terrateam

  5. Configure Terrateam for OIDC

You are now able to use Terrateam for plan and apply operations against AWS resources.

We use cookies and similar technologies to provide certain features, enhance the user experience and deliver content that is relevant to your interests. Depending on their purpose, analysis and marketing cookies may be used in addition to technically necessary cookies. By clicking on "Agree and continue", you declare your consent to the use of the aforementioned cookies. Here you can make detailed settings or revoke your consent (in part if necessary) with effect for the future. For further information, please refer to our Privacy Policy .