You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Each account has its own set of roles. Pipeline assumes role in target account.
Pattern
flowchart LR
A[CI/CD Runner] --> B[Auth Role<br/>minimal perms]
B --> C[Admin Role<br/>target account]
C --> D[Deploy]
Loading
Why Role Chaining?
Benefit
Description
Separation
Auth role handles identity, admin role handles permissions
Auditability
Single admin role per account to review
Flexibility
Multiple auth methods share same admin role
Cross-account
Same pattern works for both accounts
Roles (per account)
Role
Purpose
Permissions
cicd-oidc-role
OIDC auth (GitHub/GitLab)
sts:AssumeRole only
cicd-runner-role
EC2 instance profile
sts:AssumeRole only
cicd-admin-role
Infrastructure operations
Full deploy permissions
Auth Methods
Method
Use Case
Secrets Stored
OIDC + Role Chain
GitHub Actions, GitLab Premium
None
IMDv2 + Role Chain
Self-hosted EC2 runners
None
Platform Config
GitHub Actions
# Role ARNs are not sensitive - hardcode in workflow or use variablesenv:
OIDC_ROLE_ARN_NONPROD: arn:aws:iam::111111111111:role/cicd-oidc-roleOIDC_ROLE_ARN_PROD: arn:aws:iam::222222222222:role/cicd-oidc-roleADMIN_ROLE_ARN_NONPROD: arn:aws:iam::111111111111:role/cicd-admin-roleADMIN_ROLE_ARN_PROD: arn:aws:iam::222222222222:role/cicd-admin-rolepermissions:
id-token: writecontents: read
GitLab CI
# Variables (per environment) - not secrets, role ARNs are publicvariables:
OIDC_ROLE_ARN: arn:aws:iam::${AWS_ACCOUNT_ID}:role/cicd-oidc-roleADMIN_ROLE_ARN: arn:aws:iam::${AWS_ACCOUNT_ID}:role/cicd-admin-role
Cross-Account Flow
Deploy to Non-Prod (dev, qat):
Runner → Non-Prod OIDC Role → Non-Prod Admin Role → Deploy
Deploy to Prod (stg, prod, dr):
Runner → Prod OIDC Role → Prod Admin Role → Deploy