-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathgithub-oidc-provider.j2
123 lines (120 loc) · 4.73 KB
/
github-oidc-provider.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
{# Allow Github to access AWS without giving github AWS credentials #}
{# Must pass in the following templating parameters #}
{# #}
{#parameters: #}
{# ProviderRoleName: gh-oidc-sceptre-aws #}
{# ProviderArn: !stack_output_external sagebase-github-oidc::ProviderArn #}
{# ManagedPolicyArns: #}
{# - "arn:aws:iam::aws:policy/AdministratorAccess" #}
{#sceptre_user_data: #}
{# GitHubOrg: "Sceptre" #}
{# Repositories: #}
{# - name: "sceptre-aws" #}
{# branches: [ "master" ] #}
{% if sceptre_user_data.Repositories is defined %}
{% set Repositories = sceptre_user_data.Repositories %}
{% endif %}
{% if sceptre_user_data.GitHubOrg is defined %}
{% set GitHubOrg = sceptre_user_data.GitHubOrg %}
{% endif %}
AWSTemplateFormatVersion: 2010-09-09
Description: Configure Github OIDC trust to AWS
Parameters:
ClientIdList:
Type: List<String>
Description: >-
A list of client IDs (also known as audiences) that are associated with
the specified IAM OIDC provider resource object
Default: "sts.amazonaws.com"
ProviderArn:
Type: String
Description: "The OIDC provider ARN"
ProviderRoleName:
Type: String
Description: "The OIDC provider role name"
MaxLength: 64
# Must provide either a list of ManagePolicyArns or a custom PolicyDocument.
# Can also provide both a list of ManagePolicyArns and a custom PolicyDocument.
ManagedPolicyArns:
Type: CommaDelimitedList
Default: ""
Description: >-
A list of managed policies for the role. Required if PolicyDocument not provided.
Example:
["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::1111111111:policy/MY-EXISTING-POLICY"]
PolicyDocument:
Type: String
Default: ""
Description: >-
A JSON policy document to define a custom policy for the role. Required if ManagedPolicyArns not provided.
Example:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"PublicRead",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":["arn:aws:s3:::EXAMPLE-BUCKET/*"]
}
]
}
MaxSessionDuration:
Type: Number
Description: "The IAM role's maximum session duration"
MaxValue: 43200
MinValue: 600
Default: 3600
Conditions:
HasManagedPolicyArns: !Not
- !Equals
- !Join ["", !Ref ManagedPolicyArns]
- ''
HasPolicyDocument: !Not [!Equals [!Ref PolicyDocument, ""]]
Resources:
ServicePolicy:
Condition: HasPolicyDocument
Type: 'AWS::IAM::ManagedPolicy'
Properties:
PolicyDocument: !Ref PolicyDocument
ProviderRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref ProviderRoleName
MaxSessionDuration: !Ref MaxSessionDuration
# Concatinate managed policy and custom policy
ManagedPolicyArns: !Split
- ","
- !Join
- ","
- - !If [HasPolicyDocument, !Ref ServicePolicy, !Ref 'AWS::NoValue']
- !If [HasManagedPolicyArns, !Join [",", !Ref "ManagedPolicyArns"], !Ref 'AWS::NoValue']
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRoleWithWebIdentity
Principal:
Federated: !Ref ProviderArn
Condition:
StringEquals:
token.actions.githubusercontent.com:aud: !Ref ClientIdList
StringLike:
token.actions.githubusercontent.com:sub: [
{% for Repository in Repositories %}
{% for branch in Repository.branches %}
{% if branch == '*' %}
"repo:{{ GitHubOrg }}/{{ Repository.name }}:{{ branch }}",
{% else %}
"repo:{{ GitHubOrg }}/{{ Repository.name }}:ref:refs/heads/{{ branch }}",
{% endif %}
{% endfor %}
"repo:{{ GitHubOrg }}/{{ Repository.name }}:ref:refs/tags/*",
"repo:{{ GitHubOrg }}/{{ Repository.name }}:environment:*",
{% endfor %}
]
Outputs:
ProviderRoleArn:
Value: !GetAtt ProviderRole.Arn
Export:
Name: !Sub '${AWS::StackName}-ProviderRoleArn'