IAM role assumption across AWS accounts: the right way (with working Terraform)

IAM role assumption across AWS accounts: the right way Most teams still store long-lived AWS access keys in CI/CD secrets. Here's the right pattern. Why role assumption beats stored credentials Approach Risk Rotation Auditability Access key in CI secret High (never expires) Manual Poor OIDC + role assumption Low (per-job token) Automatic Full CloudTrail Architecture GitHub Actions → OIDC JWT → IAM (TOOLING account) → sts:AssumeRole → ci-deploy-role (PROD account) → Deploy OIDC provider + trust policy resource "aws_iam_openid_connect_provider" "github" { url = "https://token.actions.githubusercontent.com" client_id_list = [ "sts.amazonaws.com" ] thumbprint_list = [ "6938fd4d98bab03faadb97b34396831e3780aea1" ] } resource "aws_iam_role" "github_actions" { name = "github-actions-oidc" assume_role_policy = jsonencode ({ Version = "2012-10-17" Statement = [{ Effect = "Allow" Principal = { Federated = aws_iam_openid_connect_provider . github . arn } Action = "sts:AssumeRoleWithWebIdentity" Co

IAM role assumption across AWS accounts: the right way (with working Terraform)

Related Articles

Axios Gets 100 Million Downloads a Week. Today, Two Came With a Trojan.

Robotaxi companies refuse to say how often their AVs need remote help

I Set the Thread Pool to 8 and Brought Down Black Friday

How I Built Simple Automation Systems That Save Time (And Why Businesses Need Them)

wastrelly wabbits

Related Articles

News
Axios Gets 100 Million Downloads a Week. Today, Two Came With a Trojan.
Medium Programming • 1d ago

News
Robotaxi companies refuse to say how often their AVs need remote help
TechCrunch • 1d ago

News
I Set the Thread Pool to 8 and Brought Down Black Friday
Medium Programming • 1d ago

News
How I Built Simple Automation Systems That Save Time (And Why Businesses Need Them)
Medium Programming • 1d ago

News
wastrelly wabbits
Lobsters • 1d ago