Parameters: GitHubOrg: Type: String RepositoryName: Type: String OIDCProviderArn: Description: Arn for the GitHub OIDC Provider. Default: "" Type: String Conditions: CreateOIDCProvider: !Equals - !Ref OIDCProviderArn - "" Resources: Role: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Action: sts:AssumeRoleWithWebIdentity Principal: Federated: !If - CreateOIDCProvider - !Ref GithubOidc - !Ref OIDCProviderArn Condition: StringLike: token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:* GithubOidc: Type: AWS::IAM::OIDCProvider Condition: CreateOIDCProvider Properties: Url: https://token.actions.githubusercontent.com ClientIdList: - sts.amazonaws.com ThumbprintList: - 6938fd4d98bab03faadb97b34396831e3780aea1 Outputs: Role: Value: !GetAtt Role.Arn