OIDC can be used to safely and securely authenticate to your cloud provider
using temporary credentials.
To use OIDC, you will first need to configure your cloud provider to trust
the GitHub OIDC as a federated identity. Terrateam can then be configured to
authenticate to your cloud provider using OIDC.
See Cloud Provider Setup documentation
to learn how to connect the GitHub OpenID Connect Identity Provider to your cloud
provider.
Terrateam Configuration
Terrateam behavior can be configured via a config.yml. This file is located in
a directory named .terrateam at the root of your Terraform repository:
.terrateam/config.yml.
OIDC can be configured using Hooks or Workflows
depending on the complexity of your requirements. OIDC configuration blocks are identical in both
top-level keys.
Key
Type
Description
oidc
List
Initiate an OIDC connection to a cloud provider.
provider
String
Name of provider: aws.
role_arn
String
Specifies the ARN of an IAM role that you want to use. Value can be specified using a GitHub Secret / environment variable with ${ENV_VAR}.
assume_role_arn
String
Specifies the ARN of an IAM role that you want to assume into. Value can be specified using a GitHub Secret / environment variable with ${ENV_VAR}. Default is the value of role_arn.
assume_role_enabled
Boolean
Retrieve a set of temporary security credentials from AWS and set the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables. Default is true.
audience
String
Specifies the AWS audience name to use. Value can be specified using a GitHub Secret / environment variable with ${ENV_VAR}. Default is sts.amazonaws.com.
region
String
Specifies the AWS region to use and sets the AWS_REGION environment variable. Default is us-east-1.
session_name
String
Specifies the AWS session name. Default is terrateam.
duration
Integer
Specifies the AWS session duration in seconds. Default is 3600.
Example configuration using all keys:
Single IAM role
Authenticates using a single IAM role for all Terrateam operations:
Separate IAM role per environment
It’s possible to use separate IAM roles per environment. In the example Terraform repository layout
below, environments are split out by directory:
To use a separate IAM role for the production and staging directories/environments, the .terrateam/config.yml
can be configured with the following:
Separate IAM roles per environment and operation
Building off of the previous example, one could use separate IAM roles for
Plan and
Apply operations.
Assuming into another role
Sometimes it’s desired to assume into another role before performing an operation. This
can be achieved with the assume_role_arn configuration.
Terrateam will retreive a web identity token from AWS using the ARN defined in role_arn
and then perform an aws sts assume-role using the specified ARN in
assume_role_arn which will return temporary credentials for the assume role arn. The
AWS Terraform provider will use the newly created temporary credentials.
Configuration
Terrateam Configuration
Terrateam behavior can be configured via a config.yml. This file is located in
a directory named .terrateam at the root of your Terraform repository:
.terrateam/config.yml.
OIDC can be configured using Hooks or Workflows
depending on the complexity of your requirements. OIDC configuration blocks are identical in both
top-level keys.
Key
Type
Description
oidc
List
Initiate an OIDC connection to a cloud provider.
provider
String
Name of provider: gcp.
service_account
String
Email address or unique identifier of the Google Cloud service account for which to generate credentials. Value can be specified using a GitHub Secret / environment variable with ${ENV_VAR}.
workload_identity_provider
String
The full identifier of the Workload Identity Provider, including the project number, pool name, and provider name. Value can be specified using a GitHub Secret / environment variable with ${ENV_VAR}.
access_token_lifetime
Integer
Desired lifetime duration of the access token, in seconds. Default is 3600.
audience
String
Specifies the GCP audience name to use. Default is https://iam.googleapis.com/ + workload_identity_provider.
access_token_subject
String
Email address of a user to impersonate for Domain-Wide Delegation. Value can be specified using a GitHub Secret / environment variable with ${ENV_VAR}.
Example configuration using all keys:
Single IAM role
Authenticates using a single IAM role for all Terrateam operations:
Separate IAM role per environment
It’s possible to use separate IAM roles per environment. In the example Terraform repository layout
below, environments are split out by directory:
To use a separate IAM role for the production and staging directories/environments, the .terrateam/config.yml
can be configured with the following:
Separate IAM roles per environment and operation
Building off of the previous example, one could use separate IAM roles for
Plan and
Apply operations.
We use cookies and similar technologies to provide certain features, enhance
the user experience and deliver content that is relevant to your interests.
Depending on their purpose, analysis and marketing cookies may be used in
addition to technically necessary cookies. By clicking on "Agree and
continue", you declare your consent to the use of the aforementioned cookies.
Here
you can make detailed settings or revoke your consent (in part if necessary)
with effect for the future. For further information, please refer to our
Privacy Policy
.