Debugging the OIDC role

By default, you are probably operating as a highly-privileged user within your AWS account via our SSO infrastructure. The main disadvantage of this is that you will not discover the permissions required for your changes, which breaks our CI pipelines, since they do not have the * permissions you have.

To assume the OIDC permissions instead, perform the following changes to your solution.

Warning: do NOT enable this in staging or production environments.

First, enable the additional trust relation policy by setting gitlab_oidc_debugging_enabled = true on your gitlab_cluster module, usually in environment.tf. Run terraform apply as normal to activate the permissions.

Next, in your AWS provider configuration (usually in main.tf), add the following block to the AWS provider:

provider "aws" {
  assume_role {
    role_arn = "arn:aws:iam::ACCOUNT_ID:role/${var.prefix}-gitlab-oidc-role"
  }
}

Replace the ACCOUNT_ID with an actual value. If you want to explicitly test terraform plan for the prepare step of our pipelines, you can assume ${var.prefix}-gitlab-oidc-read-role instead.

Afterwards, you can run Terraform 'as normal', and it will start by assuming the OIDC role before performing any actions. This means you also still need to use aws-vault if your environments requires login via SSO, since Terraform will use your existing credentials to perform the role switch internally.