Skip to main content

Overview

With human access configured, you now need to configure the external service integrations that enable CI/CD automation. This page covers:
  • AWS: Account IDs and role ARNs for Terraform
  • GitHub (octo-sts): Tokens for managing GitHub organization resources
  • Terramate Cloud (optional): Plan visualization and drift detection

Verify Terraform Configuration

Your terraform/config.tm.hcl should already have the correct values from the Bootstrap Accounts step. Verify they look like this:

Configure GitHub Repository Variables

GitHub Actions needs the OIDC role ARN to authenticate. Add these variables to your repository (Settings > Secrets and variables > Actions > Variables):
These are repository variables, not secrets, since the values are not sensitive. GitHub Actions only needs the Infrastructure account role. Cross-account access is handled by each Terraform stack’s provider configuration.

Update GitHub Workflows

The workflows read credentials from GitHub repository variables. Verify the workflow files reference the variables correctly:

Configure octo-sts for GitHub Tokens

The Terramate workflows use octo-sts to obtain GitHub tokens for managing GitHub organization resources (teams, members, repository settings). This is more secure than storing long-lived GitHub tokens as secrets.
1

Install the octo-sts GitHub App

  1. Navigate to the octo-sts GitHub App
  2. Click Install and select your organization
  3. Grant access to your forked repository (or all repositories)
2

Update trust policy files

Update each policy file in .github/chainguard/ to reference your organization:.github/chainguard/terramate.sts.yaml:
.github/chainguard/release-please.sts.yaml:
Replace <YOUR_ORG> with your GitHub organization name and <your-repo> with your repository name.

Configure Terramate Cloud (Optional)

If you want to use Terramate Cloud for plan visualization and drift detection:
  1. Create an account at cloud.terramate.io (EU) OR us.cloud.terramate.io (US)
  2. Install the GitHub App from your Terramate Cloud dashboard under Integrations to enable PR comments and status checks
  3. Update the cloud_organization in .github/workflows/terramate-preview.yml and other Terramate workflows:
Terramate Cloud is optional but recommended. It provides a unified view of Terraform plans across all stacks and makes PR reviews much easier.

Search for Remaining References

Search for any remaining references to the original organization or AWS accounts:

Verify Your Setup

Review the generated files to ensure your configuration changes propagated correctly.

Commit Your Changes

Verify CI/CD

Push a commit or open a pull request to verify that GitHub Actions can authenticate to AWS:
  1. Check the workflow run in the Actions tab
  2. The Configure AWS Credentials step should succeed
  3. Terraform plan output should appear (if using Terramate Cloud, check the PR comments)

Troubleshooting

”Access Denied” when assuming cross-account role

The two-step authentication means there are two places trust can fail:
  1. GitHub → Infrastructure account: Check the OIDC role trust policy
  2. Infrastructure account → Target account: Check the target role trust policy
The target account’s trust policy should include the Infrastructure account’s GitHub OIDC role ARN as a trusted principal.

GitHub Actions can’t authenticate

  1. Verify the OIDC provider exists in the Infrastructure account:
  2. Check the GitHub OIDC role trust policy allows your repository:
  3. Ensure the repository name in the trust policy matches exactly (case-sensitive, including organization name).

Next Steps

With AWS integration configured, you’re ready to Deploy Infrastructure to provision networking and EKS clusters.