aws-role-to-assume
(or using keys) and inside the repo if you wish to assume
a different role for a specific project you specify an aws_role_to_assume
under that project.
If you only specify one role (either state
or command
) it is assumed that both options are the same role.
Example digger.yml:
ref
, sha
, runner_environment
etc. however it is
challenging to write an AWS trust policy to match for these fields since only aud
and sub
fields are supported. Using cognito
identity it is possible to remap the fields into principal tags which allows them to be matched in the trust policy. More information
about this is in this article: https://catnekaise.github.io/github-actions-abac-aws/cognito-identity/.
If you wish to perform this mapping in digger you can specify an additional aws_cognito_oidc configuration as follows: