Complete the code to define an OIDC provider in Terraform.
resource "aws_iam_openid_connect_provider" "example" { url = "[1]" client_id_list = ["sts.amazonaws.com"] thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da0afd6e4a9"] }
The url must be the OIDC provider URL for your cluster or CI/CD system. This example uses an EKS OIDC URL.
Complete the code to attach a trust policy for OIDC to an IAM role.
resource "aws_iam_role" "ci_cd_role" { name = "ci-cd-role" assume_role_policy = jsonencode({ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Federated": "[1]" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:sub": "system:serviceaccount:default:ci-cd-sa" } } }] }) }
The Federated principal must be the ARN of the OIDC provider created earlier.
Fix the error in the trust policy condition key for the OIDC role.
"Condition": { "StringEquals": { "[1]": "system:serviceaccount:default:ci-cd-sa" } }
The sub claim is used to match the Kubernetes service account in the condition.
Fill both blanks to create a policy document that allows assuming the role only for a specific service account.
"Condition": { "StringEquals": { "[1]": "[2]" } }
The condition key must be the OIDC provider's subject claim, and the value must be the exact Kubernetes service account allowed.
Fill all three blanks to define an IAM role with OIDC trust and attach a policy allowing S3 access.
resource "aws_iam_role" "ci_cd_role" { name = "ci-cd-role" assume_role_policy = jsonencode({ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Federated": "[1]" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "[2]": "[3]" } } }] }) } resource "aws_iam_policy_attachment" "ci_cd_attach" { name = "ci-cd-s3-access" roles = [aws_iam_role.ci_cd_role.name] policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" }
The Federated principal is the OIDC provider ARN, the condition key is the subject claim, and the value is the Kubernetes service account allowed to assume the role. The attached policy grants read-only S3 access.