Skip to content

AWS

To use Terrateam with AWS, authentication and authorization need to be configured against your AWS account. Setup only takes a minute.

OpenID Connect (OIDC)

What is OIDC

OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in AWS, without having to store any credentials as long-lived GitHub secrets.

A Terraform module and a CloudFormation template are available to easily create all of the AWS resources that Terrateam requires. Choose the setup method you’re most comfortable with.

  1. main.tf

    module "terraform_aws_terrateam_setup" {
    source = "github.com/terrateamio/terraform-aws-terrateam-setup"
    github_org = "GITHUB_ORG"
    aws_policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
    aws_iam_role_name = "terrateam"
    create_oidc_provider = true
    }
  2. Apply Changes

    terraform apply

Configure Terrateam for OIDC

Create the .terrateam/config.yml configuration file at the root of your Terraform repository.

hooks:
all:
pre:
- type: oidc
provider: aws
role_arn: "arn:aws:iam::AWS_ACCOUNT_ID:role/terrateam"

Manual Instructions

Follow the instructions below to manually configure AWS for Terrateam authentication and authorization.

Expand for step-by-step OIDC and static credentials instructions
  1. Create the OIDC provider in AWS

    Terminal window
    aws iam create-open-id-connect-provider \
    --url https://token.actions.githubusercontent.com \
    --client-id-list sts.amazonaws.com --thumbprint-list \
    6938fd4d98bab03faadb97b34396831e3780aea1 \
    1c58a3a8518e8759bf075b76b750d4f2df264fcd
  2. Create a local file on your workstation named trustpolicy.json

    This file will define the policy to be used to allow AWS to trust GitHub’s OIDC as a federated identity. You must update the example file below with your own values. Replace AWS_ACCOUNT_ID and GITHUB_ORG (case-sensitive).

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
    "Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
    "StringLike": {
    "token.actions.githubusercontent.com:sub":
    "repo:GITHUB_ORG/*"
    },
    "StringEquals": {
    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
    }
    }
    }
    ]
    }
  3. Create a terrateam IAM role using the newly created trustpolicy.json

    Terminal window
    aws iam create-role \
    --role-name terrateam \
    --assume-role-policy-document file://trustpolicy.json
  4. Attach the PowerUserAccess IAM policy or another policy of your choosing

    Terminal window
    aws iam attach-role-policy \
    --policy-arn arn:aws:iam::aws:policy/PowerUserAccess \
    --role-name terrateam
  5. Configure Terrateam for OIDC

You are now able to use Terrateam for plan and apply operations against AWS resources.