Multi-account setups are pretty common. In many cases you want to use a different account for different sets of projects. If you wish to achieve this outside of digger and only use profile names and set them directly in terraform you can use this as an example repository

You can also use digger.yml to specify which roles should be used for which repository. In this case you specify a main role in the workflow file using aws-role-to-assume (or using keys) and inside the repo if you wish to assume a different role for a specific project you specify an aws_role_to_assume under that project. If you only specify one role (either state or command) it is assumed that both options are the same role.

Example digger.yml:

projects:
   - name: dev
      dir: ./dev
      aws_role_to_assume:
         state: "arn:/blabla/accid/backenddev"
         command: "arn:/blabla/accid/devaccount"
         aws_role_region: us-east-1
   - name: prod
      dir: ./prod
      aws_role_to_assume:
         state: "arn:/blabla/accid/backendprod"
         command: "arn:/blabla/accid/prodaccount"
         aws_role_region: us-east-1

You can also use project-level assume role with generated projects:

generate_projects:
  blocks:
    - include: "environments/core/**"
      aws_role_to_assume:
        aws_role_region: "us-east-2" 
        state: "arn:/blabla/accid/backenddev"
        command: "arn:/blabla/accid/devaccount"

Assume role with cognito identity

The github action JWT token includes alot of useful fields such as ref, sha, runner_environment etc. however it is challenging to write an AWS trust policy to match for these fields since only aud and sub fields are supported. Using cognito identity it is possible to remap the fields into principal tags which allows them to be matched in the trust policy. More information about this is in this article: https://catnekaise.github.io/github-actions-abac-aws/cognito-identity/.

If you wish to perform this mapping in digger you can specify an additional aws_cognito_oidc configuration as follows:

  - name: "my-secure-digger-project"
    dir: "prod"
    workflow: default
    workflow_file: digger_workflow.yml
    aws_role_to_assume:
      aws_role_region: "us-west-2"
      command: "arn:aws:iam::00000000000:role/github-action-deployment-role"
    aws_cognito_oidc:
      cognito_identity_pool_id: "us-east-1:00000000-0000-0000-0000-000000000000"
      aws_region: "us-east-1"
      aws_account_id: "000000000000"

Once this is specified you will be able to match values in additional configuration as highlighted in the url above.

Policy overridesSegregate cloud accounts