-
-
Notifications
You must be signed in to change notification settings - Fork 959
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for assuming IAM role with web identity token #2585
Comments
Yes please |
Yes! I am having to use a workaround right now. I use OIDC for my CICD provider and this would be huge! |
Would you mind sharing your workaround? |
This is a big thing for me. |
I'd like to share our workaround. We have this in our root # Generate an AWS provider block
generate "provider" {
path = "provider.tf"
if_exists = "overwrite_terragrunt"
contents = <<EOF
variable "oidc_web_identity_token" {
type = string
description = "OIDC Web Identity Token used by AWS Provider."
default = null
}
provider "aws" {
region = "${local.region}"
assume_role_with_web_identity {
role_arn = "arn:aws:iam::${var.account_id}:role/${var.role_name}"
web_identity_token = var.oidc_web_identity_token
}
}
EOF
} Before we trigger the pipeline we write the OIDC token we obtained to echo "oidc_web_identity_token = \"${OIDC_TOKEN}\"" > terraform.auto.tfvars This is not native Terragrunt like iam_role is but it gets the job done. We rolled this out last week and it works perfectly for our use-case. |
@botagar @syphernl I ended up actually finding this in the Terraform documentation. Dynamic Provider Credentials. This allowed me to setup terraform cloud as a custom Identity Provider in AWS, then when I ran my terragrunt configuration with the terraform cloud (using terraform cloud API token) I didn't have to do any setup of the AWS credentials. The IAM role used for authentication was setup in the project variables. Similarly this should be possible with a CICD provider such as GitHub actions or CircleCI. Check out the proof of concept I worked on. Terragrunt TFC integration |
Has anyone actually even managed to get Terragrunt to assume the OIDC role along with using I have not had any success and the same seems to be true in this issue (dating from back in 2021 no less). If you've managed to get it to work it would be great to know how you did it. So, even having Terragrunt work with OIDC via Is there any way we promote this issue in priority? I'm not a Go developer myself but if anyone has any insight in how to patch this maybe we can make an effort work on it. Thanks for all the effort on the project, it's very much appreciated. |
I couldn't get TG to use TF remote state using OIDC. Same stack without TG, i was able to use TF remote state via Assume Web Role AND deploy resources across accounts via Assume Web Role. As for what we're doing right now for the rest of our stuff already deeply in TG, we're breaking out the jobs into their respective target AWS accounts and calling This is a major pain though, and defeats one of the main reasons we introduced TG into our tech stack in the first place. I don't see much discussion happening here on this feature tbh, so maybe we're a tiny minority who want to use OIDC. I too am not a GO dev and I just haven't had the time to be able to sit down with the TG codebase to understand what's going on and how it does all it's role assumptions. TG as a tool so far has been great. But no OIDC is a bit of a show stopper. |
Thanks for the reply @botagar. I can't say I disagree with any of what you say in general, it's definitely a bit of a weird oversight that OIDC doesn't work yet transparently and I can see how it might be nearly a deal breaker and very frustrating for anyone who has sunk a lot of time and effort into Terragrunt and then discovers OIDC is not a first-class citizen. Yesterday though after a bit of a slog I did manage to get Terragrunt running with OIDC using the same kind of method as described above with the
Here we use variables with default Then as described by the OP, in the pipeline what we will do is write So make sure you have a In your Github actions (for example) we need to do the rest of the dynamic injection and call Terragrunt. (This was adapted from a larger workflow file so forgive any typos or mistakes.)
Obviously this is quite a lot of heavy lifting to have to do, but it works and Terragrunt is provisioning via OIDC in the pipeline. I wouldn't try and provision an entirely new stack in this way. I suppose it might be possible to do so (although obviously it wouldn't work unless you provisioned the OIDC resources at least beforehand), but I build my stack out manually first module by module before activating any kind of automation over it. The workflow above is intended to be used only for updates during a CI/CD process on an existing set of resources. So, just ensure the OIDC role has the correct permissions to access the dynamodb tables and buckets with state that already exist and with something like the above you should be off to the races. |
Thanks for sharing that @jhrr ! If first class OIDC support were at the very least acknowledged on the roadmap, we could probably stick with the interim solution we have now. Maybe it's time to learn a little GO too... 😅 |
FYI: I just sent out a PR that implements this |
Terragrunt currently only supports assume role for IAM roles, With the introduction of OIDC providers, we can assume IAM role with web identity token, which is officially supported by https://github.com/aws-actions/configure-aws-credentials
With iam_role in terragrunt, can we also have support to assume IAM role with web identity token with the token or the token file passed as an additional input ?
If this can be supported, we can directly run teragrunt on github actions without a need for using configure-aws-credentials action. This helps in assuming maintaining multiple roles in multiple modules
The text was updated successfully, but these errors were encountered: