Config.Tips icon indicating copy to clipboard operation
Config.Tips copied to clipboard

Published 20 hours ago verified publisher icon CircleCI-Public

[New Tip]: Cloudformation template to setup an OIDC Provider for CircleCI jobs

Open polymeris opened this issue 1 year ago • 0 comments

What is the name of the config kind?

aws-cloudformation.yaml

Config Tip

Description: |
  Creates a IAM OIDCProvider and a IAM role to grant CircleCI jobs access to AWS resources
Parameters:
  OrgId:
    Type: String
    Description: CircleCI organization id (UUID)
    MinLength: 36 # must be formatted with hyphens
    MaxLength: 36
  CertificateThumbprint:
    Type: String
    Description: Thumbprint of the Certificate for oidc.circleci.com (SHA1)
    AllowedPattern: ^[0-9a-fA-F]*$ # hexadecimal
    MinLength: 40
    MaxLength: 40
Resources:
  IdentityProvider:
    Type: AWS::IAM::OIDCProvider
    Properties:
      ClientIdList:
        - !Ref OrgId
      Url: !Sub 'https://oidc.circleci.com/org/${OrgId}'
      ThumbprintList:
        - !Ref CertificateThumbprint
  JobRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub 'CircleCIJobRole_${OrgId}'
      Description: Allow CircleCI jobs authenticated through OIDC to manage AWS resources
#     Note this document allows ANY job in the given org to assume the AWS role.
#     See https://circleci.com/docs/openid-connect-tokens/#advanced-usage on how to further
#     restrict access, e.g. based on project or branch
      AssumeRolePolicyDocument: !Sub
        - |
          {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Principal": {
                    "Federated": "${IdPArn}"
                  },
                  "Action": "sts:AssumeRoleWithWebIdentity",
                  "Condition": {
                    "StringLike": {
                      "oidc.circleci.com/org/${OrgId}:sub": "org/${OrgId}/project/*/user/*"
                    }
                  }
                }
              ]
          }
        - IdPArn: !Ref IdentityProvider
          OrgId: !Ref OrgId
      ManagedPolicyArns:
#       FIXME: You probably want to restrict this policy!
        - arn:aws:iam::aws:policy/AdministratorAccess

Give us a short description of the config kind

CircleCI OIDC provider on AWS

Body Area

This Cloudformation template generates two resources.

  1. An OIDC Provider that allows jobs in the specified CircleCI org to authenticate with IAM
  2. An IAM role these jobs can assume

Make sure to restrict the policy to the resources the job needs to access!

Anything Else?

No response

polymeris avatar Dec 04 '23 13:12 polymeris