Terraform AWS GitLab OIDC Provider

This Terraform module enables you to configure GitLab Runners as an AWS IAM OIDC identity provider in AWS, which enables GitLab Runners to access resources within an AWS account(s) without requiring long-lived credentials to be stored as GitLab secrets.

Prerequisites

• AWS Account(s) and credentials
• GitLab repository
• Terraform >= 1.x
• ...
• Profit?

Deployment / Usage

provider "aws" {
  region = var.region
}

module "gitlab_oidc" {
  source  = "saidsef/gitlab-oidc/aws"
  version = ">= 1"

  attach_read_only_policy = true
  gitlab_organisation     = "saidsef"
  gitlab_repositories     = [{
    name = "terraform-aws-gitlab-oidc",
    branches = ["main", "pr-*", "*pull*", "*"]
  }]
  tags                    = var.tags
}

Provider Specifications and Requirements

Please see TERRAFORM.md

GitLab Runner

Retrieve temporary credentials via GitLab Runner

terraform-aws-gitlab-oidc/.gitlab-ci.yml

Lines 16 to 28 in a9f7cf0

	.assume-role:
	before_script:
	- >
	STS=($(aws sts assume-role-with-web-identity
	--role-arn $ROLE_ARN
	--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
	--web-identity-token $CI_JOB_JWT_V2
	--duration-seconds 3600
	--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
	--output text))
	- export AWS_ACCESS_KEY_ID="${STS[0]}"
	- export AWS_SECRET_ACCESS_KEY="${STS[1]}"
	- export AWS_SESSION_TOKEN="${STS[2]}"

Source

Our latest and greatest source of terraform-aws-gitlab-oidc can be found on GitHub. Fork us!

Contributing

We would ❤️ you to contribute by making a pull request.

Please read the official Contribution Guide for more information on how you can contribute.