Skip to content
/ terraform-aws-gitlab-oidc Public

Terraform module to configure GitLab Runner as an IAM OIDC identity provider in AWS

License

Apache-2.0 license
4 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

saidsef/terraform-aws-gitlab-oidc

BranchesTags

Repository files navigation

Terraform AWS GitLab OIDC Provider

CI GitHub issues License

This Terraform module enables you to configure GitLab Runners as an AWS IAM OIDC identity provider in AWS, which enables GitLab Runners to access resources within an AWS account(s) without requiring long-lived credentials to be stored as GitLab secrets.

Prerequisites

  • AWS Account(s) and credentials
  • GitLab repository
  • Terraform >= 1.x
  • ...
  • Profit?

Deployment / Usage

provider "aws" {
  region = var.region
}

module "gitlab_oidc" {
  source  = "saidsef/gitlab-oidc/aws"
  version = ">= 1"

  attach_read_only_policy = true
  gitlab_organisation     = "saidsef"
  gitlab_repositories     = [
  {
      name     = "terraform-aws-gitlab-oidc",
      refs     = ["main", "pr-*", "*pull*", "*"]
      ref_type = "branch"
    },
    {
      name     = "terraform-aws-gitlab-oidc",
      refs     = ["*"]
      ref_type = "tag"
    }
]
  tags                    = var.tags
}

Provider Specifications and Requirements

Please see TERRAFORM.md

GitLab Runner

Retrieve temporary credentials via GitLab Runner

JWT

terraform-aws-gitlab-oidc/.gitlab-ci.yml

Lines 16 to 28 in a9f7cf0

.assume-role:
before_script:
- >
STS=($(aws sts assume-role-with-web-identity
--role-arn $ROLE_ARN
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
--web-identity-token $CI_JOB_JWT_V2
--duration-seconds 3600
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
--output text))
- export AWS_ACCESS_KEY_ID="${STS[0]}"
- export AWS_SECRET_ACCESS_KEY="${STS[1]}"
- export AWS_SESSION_TOKEN="${STS[2]}"

CI_JOB_JWT and CI_JOB_JWT_V2 were deprecated in GitLab 15.9 and are scheduled to be removed in GitLab 17.0. Use ID tokens instead.

ID Tokens

terraform-aws-gitlab-oidc/.gitlab-ci.yml

Lines 16 to 32 in 3546911

.assume-role:
id_tokens:
AWS_ID_TOKEN:
aud: https://oidc.provider.com
before_script:
- >
STS=($(aws sts assume-role-with-web-identity
--role-arn $ROLE_ARN
--region $AWS_REGION
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
--web-identity-token $AWS_ID_TOKEN
--duration-seconds 3600
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
--output text))
- export AWS_ACCESS_KEY_ID="${STS[0]}"
- export AWS_SECRET_ACCESS_KEY="${STS[1]}"
- export AWS_SESSION_TOKEN="${STS[2]}"

Source

Our latest and greatest source of terraform-aws-gitlab-oidc can be found on GitHub. Fork us!

Contributing

We would ❤️ you to contribute by making a pull request.

Please read the official Contribution Guide for more information on how you can contribute.

About

Terraform module to configure GitLab Runner as an IAM OIDC identity provider in AWS

Topics

aws gitlab terraform gitlab-runner openid openid-connect oidc federated-identity aws-iam-policies aws-iam-role

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

4 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

16 tags

Sponsor this project

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages