The Problem

We don't want to put static IAM Secrets into gitlab.com. Why? Because you have to rotate them and that's a pain. It's also not a great practice

The Complicating factors

We work our terraform with multiple workspaces which refer to multiple different AWS accounts.
- Central AWS Account: S3 State Bucket and DynamoDB lockfile - Dev AWS Account: Dev and DevOps environments - Test AWS Account: UAT environment - Prod AWS Account: Stage and Prod

The solution

It seems like the best answer is to implement (OpenIDConnect) with (GitLab) so that you establish a trust between EACH AWS account and Gitlab, then limit that trust to your GitLab group/subgroup/repo/branch. GitLab becomes the IdP - and incidentally the GitLab runner is also the consumer of that trust. Seems a little odd but I think it'll work.

(GitLab's Docs) (My Terraform Module to Implement this)

Good luck