explaingit

moritzheiber/terraform-aws-oidc-github-actions-module

Analysis updated 2026-07-09 · repo last pushed 2026-07-01

9GoAudience · ops devopsComplexity · 3/5ActiveSetup · moderate

TLDR

A Terraform module that lets GitHub Actions securely access your AWS account without stored passwords by using temporary, dynamic authentication instead of long-lived secret keys.

Mindmap

mindmap
  root((repo))
    What it does
      Secure AWS access
      No stored passwords
      Dynamic authentication
    How it works
      Sets up OIDC provider
      Links repos to roles
      Auto-updates thumbprints
    Use cases
      Deploy pipelines
      Upload app builds
      Update server configs
    Tech stack
      Terraform
      AWS
      GitHub Actions
    Audience
      Engineering teams
      DevOps users
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Let your GitHub Actions deployment pipeline securely upload new application builds to AWS.

USE CASE 2

Allow automated workflows to update configurations on your AWS servers without static keys.

USE CASE 3

Grant specific GitHub repositories temporary, secure access to your AWS account.

What is it built with?

TerraformAWSGitHub ActionsGo

How does it compare?

moritzheiber/terraform-aws-oidc-github-actions-moduleaaklon/akinatorcandratama/tamagosh
Stars9911
LanguageGoGoGo
Last pushed2026-07-01
MaintenanceActive
Setup difficultymoderatemoderateeasy
Complexity3/53/52/5
Audienceops devopsdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires an existing AWS account and Terraform installation to configure the dynamic authentication between GitHub Actions and AWS.

In plain English

If your team uses GitHub Actions to run automated tasks like tests or deployments, and you also use Amazon Web Services (AWS) to host your infrastructure, you usually need to give GitHub a way to securely access your AWS account. Traditionally, this meant creating and managing long-lived secret access keys that could be stolen or expire. This project eliminates that problem by letting GitHub Actions authenticate with AWS dynamically, using a secure, temporary handshake instead of stored passwords. The module works by setting up something called an OIDC (OpenID Connect) provider on your AWS account. You tell the module which specific GitHub repositories should be allowed access, and what AWS roles to create. It then links the two together. When a GitHub Actions workflow runs, it identifies itself to AWS using a cryptographically signed token. If the request comes from a repository you previously approved, AWS grants temporary access based on the permissions you assigned to that role. No permanent passwords ever change hands. This is ideal for engineering teams that manage their cloud infrastructure with Terraform and want to follow security best practices without adding extra manual overhead. For example, if your deployment pipeline runs on GitHub Actions and needs to upload new application builds to AWS, or update configurations on your servers, this module lets those jobs securely interact with AWS. You simply list your repository name, define a role, and your GitHub workflows are ready to securely assume that role. One notable detail is that the module automatically handles a specific security maintenance task. AWS requires you to store a digital "thumbprint" of GitHub's security certificate to verify the connection is legitimate. Since these certificates rotate periodically, this can cause pipelines to break unexpectedly. The module automatically fetches the latest thumbprint when you apply your Terraform configuration, though the README thoughtfully includes a detailed guide on how to manually verify a new certificate is legitimate if things stop working.

Copy-paste prompts

Prompt 1
Help me write the Terraform configuration to use the terraform-aws-oidc-github-actions module, specifying my GitHub repository name my-org/my-repo and an IAM role with read-only S3 access.
Prompt 2
I'm using this OIDC module to connect GitHub Actions to AWS. Write a GitHub Actions workflow YAML file that assumes the AWS role created by this module to deploy a static website to S3.
Prompt 3
Explain how to add a second GitHub repository to my existing terraform-aws-oidc-github-actions module setup so it can also deploy to my AWS account securely.
Prompt 4
My GitHub Actions to AWS pipeline stopped working after a certificate rotation. How do I use the manual thumbprint verification guide in this module to fix the connection?

Frequently asked questions

What is terraform-aws-oidc-github-actions-module?

A Terraform module that lets GitHub Actions securely access your AWS account without stored passwords by using temporary, dynamic authentication instead of long-lived secret keys.

What language is terraform-aws-oidc-github-actions-module written in?

Mainly Go. The stack also includes Terraform, AWS, GitHub Actions.

Is terraform-aws-oidc-github-actions-module actively maintained?

Active — commit in last 30 days (last push 2026-07-01).

How hard is terraform-aws-oidc-github-actions-module to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is terraform-aws-oidc-github-actions-module for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.