[feature] AWS Poweruser role allows OIDC sts:AssumeRoleWithWebIdentity (

#192)
chanzuckerberg · May 20, 2020 · bd7a439 · bd7a439
1 parent 28c40d0
commit bd7a439
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 3 deletions.
diff --git a/aws-iam-role-poweruser/README.md b/aws-iam-role-poweruser/README.md
@@ -32,6 +32,7 @@ No requirements.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | iam\_path | n/a | `string` | `"/"` | no |
+| oidc | A list of AWS OIDC IDPs to establish a trust relationship for this role. | <pre>list(object(<br>    {<br>      idp_arn : string,          # the AWS IAM IDP arn<br>      client_ids : list(string), # a list of oidc client ids<br>      provider : string          # your provider url, such as foo.okta.com<br>    }<br>  ))</pre> | `[]` | no |
 | role\_name | n/a | `string` | `"poweruser"` | no |
 | saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | `string` | `""` | no |
 | source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. DEPRECATED: Please use source\_account\_ids. | `string` | `""` | no |

diff --git a/aws-iam-role-poweruser/main.tf b/aws-iam-role-poweruser/main.tf
@@ -6,7 +6,7 @@ data "aws_iam_policy_document" "assume-role" {
         type        = "AWS"
         identifiers = ["arn:aws:iam::${statement.value}:root"]
       }
-      actions = ["sts:AssumeRole"]
+      actions = ["sts:AssumeRole", "sts:TagSession"]
     }
   }
 
@@ -17,7 +17,7 @@ data "aws_iam_policy_document" "assume-role" {
         type        = "AWS"
         identifiers = ["arn:aws:iam::${statement.value}:root"]
       }
-      actions = ["sts:AssumeRole"]
+      actions = ["sts:AssumeRole", "sts:TagSession"]
     }
   }
 
@@ -29,7 +29,7 @@ data "aws_iam_policy_document" "assume-role" {
         identifiers = [statement.value]
       }
 
-      actions = ["sts:AssumeRoleWithSAML"]
+      actions = ["sts:AssumeRoleWithSAML", "sts:TagSession"]
 
       condition {
         test     = "StringEquals"
@@ -38,6 +38,26 @@ data "aws_iam_policy_document" "assume-role" {
       }
     }
   }
+
+  dynamic "statement" {
+    for_each = var.oidc
+    iterator = oidc
+
+    content {
+      principals {
+        type        = "Federated"
+        identifiers = [oidc.value["idp_arn"]]
+      }
+
+      actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]
+      condition {
+        test     = "StringEquals"
+        variable = "${oidc.value["provider"]}:aud"
+        values   = oidc.value["client_ids"]
+      }
+    }
+  }
+
 }
 
 resource "aws_iam_role" "poweruser" {

diff --git a/aws-iam-role-poweruser/variables.tf b/aws-iam-role-poweruser/variables.tf
@@ -25,3 +25,16 @@ variable "iam_path" {
   type    = string
   default = "/"
 }
+
+variable oidc {
+  type = list(object(
+    {
+      idp_arn : string,          # the AWS IAM IDP arn
+      client_ids : list(string), # a list of oidc client ids
+      provider : string          # your provider url, such as foo.okta.com
+    }
+  ))
+
+  default     = []
+  description = "A list of AWS OIDC IDPs to establish a trust relationship for this role."
+}