Project Level Roles for AWS
Multi-account setups are pretty common. In many cases you want to use a different account for different sets of projects. If you wish to achieve this outside of digger and only use profile names and set them directly in terraform you can use this as an example repository
You can also use digger.yml to specify which roles should be used for which repository. In this case you specify a main
role in the workflow file using aws-role-to-assume
(or using keys) and inside the repo if you wish to assume
a different role for a specific project you specify an aws_role_to_assume
under that project.
If you only specify one role (either state
or command
) it is assumed that both options are the same role.
Example digger.yml:
You can also use project-level assume role with generated projects:
Assume role with cognito identity
The github action JWT token includes alot of useful fields such as ref
, sha
, runner_environment
etc. however it is
challenging to write an AWS trust policy to match for these fields since only aud
and sub
fields are supported. Using cognito
identity it is possible to remap the fields into principal tags which allows them to be matched in the trust policy. More information
about this is in this article: https://catnekaise.github.io/github-actions-abac-aws/cognito-identity/.
If you wish to perform this mapping in digger you can specify an additional aws_cognito_oidc configuration as follows:
Once this is specified you will be able to match values in additional configuration as highlighted in the url above.