0
Jump into concepts and practice - no test required
Recommended
provider "aws" { region = "us-east-1" } resource "aws_iam_role" "ci_role" { assume_role_policy = jsonencode({ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Federated": "arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E"}, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:sub": "system:serviceaccount:ci-cd:terraform" } } }] }) }
| Step | Action | Input/Condition | Result | Notes |
|---|---|---|---|---|
| 1 | CI/CD pipeline starts | Trigger pipeline | Pipeline begins execution | Pipeline triggered by code push |
| 2 | Request OIDC token | Pipeline requests token | OIDC provider receives request | Token request includes service account info |
| 3 | Validate token request | Check service account and conditions | Token issued with claims | Claims include subject and audience |
| 4 | Terraform uses token | Token passed to AWS provider | Authentication succeeds | Terraform can assume IAM role |
| 5 | Access AWS resources | Use assumed role permissions | Resources created/modified | Terraform applies infrastructure changes |
| 6 | Pipeline completes | All steps successful | Pipeline ends successfully | Infrastructure deployed securely |
| Variable | Start | After Step 2 | After Step 3 | After Step 4 | Final |
|---|---|---|---|---|---|
| OIDC Token | None | Requested | Issued with claims | Used by Terraform | Expired after pipeline |
| IAM Role | Defined in Terraform | No change | No change | Assumed by Terraform | In use during pipeline |
| Pipeline State | Idle | Running | Running | Running | Completed |
OIDC authentication for CI/CD: - CI/CD pipeline requests OIDC token from provider - Provider validates and issues token with claims - Terraform uses token to assume IAM role securely - IAM role trust policy restricts access to specific service accounts - Enables secure, short-lived credentials for cloud access - Avoids storing long-term secrets in pipelines
condition = {
StringEquals = {
"token.actions.githubusercontent.com:sub" = "repo:myorg/myrepo:ref:refs/heads/main"
}
}{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": { "Federated": "arn:aws:iam::123456789012:oidc-provider/github.com" },
"Action": "sts:AssumeRoleWithWebIdentity"
}]
}
What is the most likely error?