aws-oidc-gitlab

Terraform module to configure GitLab runner pipelines with AWS Identity Provider OIDC This allows GitLab Runners to authenticate against AWS without using any long-lived keys. This module provisions the necessary role and permissions as defined in the official GitLab docs.

Multiple repo configuration

This module allows you to create roles for lists of repos(subjects) and policies in the AWS account. Currently, it only supports policies in the same account as the role being created. This is helpful for non-mono repo style groups as well as for large organizations where teams have separate repo ownership for the same AWS account.

Debugging features

The assume_role_names input allows you to assume the OIDC role and act as if you were the GitLab runner pipeline. This is very useful for debugging while you're getting things setup. Note: we recommend removing this once you are production ready so that all further changes are only applied via the pipeline.

Example .gitlab-ci.yml

image:
  name: amazon/aws-cli:latest
  entrypoint:
    - '/usr/bin/env'

assume role:
  script:
    - >
      STS=($(aws sts assume-role-with-web-identity
      --role-arn ${ROLE_ARN}
      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
      --web-identity-token $CI_JOB_JWT_V2
      --duration-seconds 3600
      --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
      --output text))
    - export AWS_ACCESS_KEY_ID="${STS[0]}"
    - export AWS_SECRET_ACCESS_KEY="${STS[1]}"
    - export AWS_SESSION_TOKEN="${STS[2]}"
    - aws sts get-caller-identity

Note: ROLE_ARN needs to be configured as a CICD environment variable in GitLab.

Requirements

Name	Version
aws	~> 4.0
tls	~> 4.0.3

Providers

Name	Version
aws	~> 4.0
tls	~> 4.0.3

Modules

Name	Source	Version
aws_oidc_gitlab	./modules/aws-roles-oidc-gitlab	n/a

Resources

Name	Type
aws_iam_openid_connect_provider.gitlab	resource
tls_certificate.gitlab	data source

Inputs

Name	Description	Type	Default	Required
aud_value	GitLab Aud	string	"https://gitlab.com"	no
gitlab_tls_url	GitLab URL to perform TLS verification against.	string	"tls://gitlab.com:443"	no
gitlab_url	GitLab URL.	string	"https://gitlab.com"	no
max_session_duration	Maximum session duration in seconds. - by default assume role will be 15 minutes - when calling from actions you'll need to increase up to the maximum allowed hwere	number	3600	no
role_subject-repos_policies	role name to repos and policies mapping. role name as the key and object value for repo subjects ie "project_path:mygroup/myproject:ref_type:branch:ref:main" as well as a list of policy arns ie ["arn:aws:iam::aws:policy/AdministratorAccess"] and list of roles that can assume the new role for debugging	map(object({ role_path = optional(string) subject_repos = list(string) policy_arns = list(string) assume_role_names = optional(list(string)) }))	n/a	yes

Outputs

Name	Description
gitlab_oidc_provider_arn	oidc provider arn to use for roles/policies
gitlab_oidc_provider_url	oidc provider url to use for roles/policies
iam_role_arns	Roles that will be assumed by GitLab runner pipelines