Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Terraform module to configure GitLab Runner as an IAM OIDC identity provider in AWS

License

NotificationsYou must be signed in to change notification settings

saidsef/terraform-aws-gitlab-oidc

CIGitHub issuesLicenseFOSSA Status

This Terraform module enables you to configure GitLab Runners as an AWS IAM OIDC identity provider in AWS, which enables GitLab Runners to access resources within an AWS account(s) without requiring long-lived credentials to be stored as GitLab secrets.

Prerequisites

  • AWS Account(s) and credentials
  • GitLab repository
  • Terraform >= 1.x
  • ...
  • Profit?

Deployment / Usage

provider"aws" {region=var.region}module"gitlab_oidc" {source="saidsef/gitlab-oidc/aws"version=">= 1"attach_read_only_policy=truegitlab_organisation="saidsef"gitlab_repositories=[  {      name="terraform-aws-gitlab-oidc",      refs= ["main","pr-*","*pull*","*"]      ref_type="branch"    },    {      name="terraform-aws-gitlab-oidc",      refs= ["*"]      ref_type="tag"    }]tags=var.tags}

Provider Specifications and Requirements

Please seeTERRAFORM.md

GitLab Runner

Retrieve temporary credentials viaGitLab Runner

JWT

.assume-role:
before_script:
->
STS=($(aws sts assume-role-with-web-identity
--role-arn $ROLE_ARN
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
--web-identity-token $CI_JOB_JWT_V2
--duration-seconds 3600
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
--output text))
-export AWS_ACCESS_KEY_ID="${STS[0]}"
-export AWS_SECRET_ACCESS_KEY="${STS[1]}"
-export AWS_SESSION_TOKEN="${STS[2]}"

CI_JOB_JWT andCI_JOB_JWT_V2 weredeprecated in GitLab 15.9 and are scheduled to be removed in GitLab 17.0. UseID tokens instead.

ID Tokens

.assume-role:
id_tokens:
AWS_ID_TOKEN:
aud:https://oidc.provider.com
before_script:
->
STS=($(aws sts assume-role-with-web-identity
--role-arn $ROLE_ARN
--region $AWS_REGION
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
--web-identity-token $AWS_ID_TOKEN
--duration-seconds 3600
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
--output text))
-export AWS_ACCESS_KEY_ID="${STS[0]}"
-export AWS_SECRET_ACCESS_KEY="${STS[1]}"
-export AWS_SESSION_TOKEN="${STS[2]}"

Source

Our latest and greatest source ofterraform-aws-gitlab-oidc can be found onGitHub. Fork us!

Contributing

We would ❤️ you to contribute by making apull request.

Please read the officialContribution Guide for more information on how you can contribute.

FOSSA Status

About

Terraform module to configure GitLab Runner as an IAM OIDC identity provider in AWS

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Sponsor this project

    Packages

    No packages published

    Contributors3

    •  
    •  
    •  

    Languages

    [8]ページ先頭
    ©2009-2025 Movatter.jp