Terraform Github AWS/Azure OIDC Authentication
What is OIDC Authentication and why do I want it.
Github supports OpenID Connect which allows GitHub to act as an identity provider.
By setting up a trust relationship in Azure/AWS to Github, you can get github to assume temporary credentials within
your cloud provider to do your deployments for you. This trust relationship gives you fine-grained control of which
repositories and branches can assume the role/access token.
GitHub Actions workflow
└─ requests OIDC token from GitHub
└─ presents token to AWS STS / Azure AD
└─ cloud validates token against GitHub's JWKS endpoint
└─ returns short-lived credential (IAM role / access token)Repository link
Prerequisites
- Terraform cloud configured (
terraform login)- It’s expected that the user has
Orglevel permissions to be able to create a new project + workspaces in that project.
- It’s expected that the user has
- AWS CLI configured (
aws login) - Azure CLI configured (
az login)
Remote state (Terraform Enterprise / Terraform Cloud)
The workspace is auto-created on first terraform init if it does not already exist.
