IAM

IAM setup is only applicable for environments that require either OIDC authentication for CI/CD or for applications that have Maskinporten integration.

Step 1: Add and configure the iam package

repo-iac/environments/dev/

ok pkg add iam
cd iam

Update package-config.yml and enable the components you need:

iam/package-config.yml

StackName: "iam"
MaskinportenKeyRotation:
  Enable: false
GithubIdentityProvider:
  Enable: false

Only one per account

You can only have one GithubIdentityProvider or MaskinportenKeyRotation enabled per account. If already enabled in a different environment, you cannot enable it here.

Enabling it will cause an error when applying the stack.

Step 2: Install and apply the package

iam/

ok pkg install
terraform init
terraform apply

Step 3: Verify

AWS CLIAWS console

OIDC

To verify OIDC is correctly set up:

aws iam list-open-id-connect-providers | jq '.OpenIDConnectProviderList[].Arn'

Output should contain a provider with token.actions.githubusercontent.com in the ARN.

Maskinporten

To verify Maskinporten role is set up:

aws iam list-roles | jq '.Roles[].RoleName' | grep dataplatform-maskinporten

Output should contain role dataplatform-maskinporten.

OIDC

Login to AWS console and navigate to IAM. Select Identity Providers.

List should contain provider token.actions.githubusercontent.com.

Maskinporten

In IAM, select Roles and search for dataplatform-maskinporten.

List should contain role dataplatform-maskinporten.

---

Next step

Set up application common.