Skip to content
This repository was archived by the owner on Jun 13, 2024. It is now read-only.

[New Tip]: Cloudformation template to setup an OIDC Provider for CircleCI jobs #70

Open
Open
[New Tip]: Cloudformation template to setup an OIDC Provider for CircleCI jobs#70
@polymeris

Description

@polymeris
polymeris
opened on Dec 4, 2023

What is the name of the config kind?

aws-cloudformation.yaml

Config Tip

Description: |
  Creates a IAM OIDCProvider and a IAM role to grant CircleCI jobs access to AWS resources
Parameters:
  OrgId:
    Type: String
    Description: CircleCI organization id (UUID)
    MinLength: 36 # must be formatted with hyphens
    MaxLength: 36
  CertificateThumbprint:
    Type: String
    Description: Thumbprint of the Certificate for oidc.circleci.com (SHA1)
    AllowedPattern: ^[0-9a-fA-F]*$ # hexadecimal
    MinLength: 40
    MaxLength: 40
Resources:
  IdentityProvider:
    Type: AWS::IAM::OIDCProvider
    Properties:
      ClientIdList:
        - !Ref OrgId
      Url: !Sub 'https://oidc.circleci.com/org/${OrgId}'
      ThumbprintList:
        - !Ref CertificateThumbprint
  JobRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub 'CircleCIJobRole_${OrgId}'
      Description: Allow CircleCI jobs authenticated through OIDC to manage AWS resources
#     Note this document allows ANY job in the given org to assume the AWS role.
#     See https://circleci.com/docs/openid-connect-tokens/#advanced-usage on how to further
#     restrict access, e.g. based on project or branch
      AssumeRolePolicyDocument: !Sub
        - |
          {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Principal": {
                    "Federated": "${IdPArn}"
                  },
                  "Action": "sts:AssumeRoleWithWebIdentity",
                  "Condition": {
                    "StringLike": {
                      "oidc.circleci.com/org/${OrgId}:sub": "org/${OrgId}/project/*/user/*"
                    }
                  }
                }
              ]
          }
        - IdPArn: !Ref IdentityProvider
          OrgId: !Ref OrgId
      ManagedPolicyArns:
#       FIXME: You probably want to restrict this policy!
        - arn:aws:iam::aws:policy/AdministratorAccess

Give us a short description of the config kind

CircleCI OIDC provider on AWS

Body Area

This Cloudformation template generates two resources.

  1. An OIDC Provider that allows jobs in the specified CircleCI org to authenticate with IAM
  2. An IAM role these jobs can assume

Make sure to restrict the policy to the resources the job needs to access!

Anything Else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions