Parameterize trust relationships for runner role

[iataylor]

Overview : I need to have the ability to parameterize the trust relationships for the runner role. I'd like to add a config variable to take in JSON formatted trust relationships to add to the automatically generated runner role.

Use Case : Customizing this would allow me to assume the runner role to execute actions from different accounts. This is a consequence of moving from runners placed in individual accounts to centralizing our runners in a single AWS account. We're utilizing the old runner role infrastructure to allow access and management of resources from a central location. As of right now, we cannot actually edit this relationship, as it always has the default policy in this file.

I know this is an edge case, and not necessarily the best solution, but adding the capability should be a fairly minor change with no adverse effect on other users.

I'm happy to propose a fix myself, but I don't currently have permission to open a branch.

[npalm]

Do I understand your use-case correctly that you runners needs to call AWS api's and you want to have for that use-case the option to add trust relations. In that case I think it is much better to setup OIDC on your AWS accounts to assign the relation based on the job. Here an old blog of me to explain this in detail: https://040code.github.io/2022/12/02/oidc-part-1

[iataylor]

That's pretty much what I need. I read through the blog you sent, which is super helpful! I'll take a crack at setting up OIDC, but it still may be helpful to have the ability to at least add trust relationships if necessary.