Skip to content
This repository has been archived by the owner on Jun 13, 2024. It is now read-only.

[New Tip]: Cloudformation template to setup an OIDC Provider for CircleCI jobs #70

Open
polymeris opened this issue Dec 4, 2023 · 0 comments
Open

[New Tip]: Cloudformation template to setup an OIDC Provider for CircleCI jobs #70

polymeris opened this issue Dec 4, 2023 · 0 comments

Comments

@polymeris
Copy link

What is the name of the config kind?

aws-cloudformation.yaml

Config Tip

Description: |
  Creates a IAM OIDCProvider and a IAM role to grant CircleCI jobs access to AWS resources
Parameters:
  OrgId:
    Type: String
    Description: CircleCI organization id (UUID)
    MinLength: 36 # must be formatted with hyphens
    MaxLength: 36
  CertificateThumbprint:
    Type: String
    Description: Thumbprint of the Certificate for oidc.circleci.com (SHA1)
    AllowedPattern: ^[0-9a-fA-F]*$ # hexadecimal
    MinLength: 40
    MaxLength: 40
Resources:
  IdentityProvider:
    Type: AWS::IAM::OIDCProvider
    Properties:
      ClientIdList:
        - !Ref OrgId
      Url: !Sub 'https://oidc.circleci.com/org/${OrgId}'
      ThumbprintList:
        - !Ref CertificateThumbprint
  JobRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub 'CircleCIJobRole_${OrgId}'
      Description: Allow CircleCI jobs authenticated through OIDC to manage AWS resources
#     Note this document allows ANY job in the given org to assume the AWS role.
#     See https://circleci.com/docs/openid-connect-tokens/#advanced-usage on how to further
#     restrict access, e.g. based on project or branch
      AssumeRolePolicyDocument: !Sub
        - |
          {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Principal": {
                    "Federated": "${IdPArn}"
                  },
                  "Action": "sts:AssumeRoleWithWebIdentity",
                  "Condition": {
                    "StringLike": {
                      "oidc.circleci.com/org/${OrgId}:sub": "org/${OrgId}/project/*/user/*"
                    }
                  }
                }
              ]
          }
        - IdPArn: !Ref IdentityProvider
          OrgId: !Ref OrgId
      ManagedPolicyArns:
#       FIXME: You probably want to restrict this policy!
        - arn:aws:iam::aws:policy/AdministratorAccess

Give us a short description of the config kind

CircleCI OIDC provider on AWS

Body Area

This Cloudformation template generates two resources.

  1. An OIDC Provider that allows jobs in the specified CircleCI org to authenticate with IAM
  2. An IAM role these jobs can assume

Make sure to restrict the policy to the resources the job needs to access!

Anything Else?

No response
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@polymeris