diff --git a/.gitignore b/.gitignore
index bbc7847..f9dbfd3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -35,5 +35,5 @@ terraform.rc
 
 google-cloud-cli-*
 google-cloud-sdk/
-*.plan
+plan
 awscliv2.zip
diff --git a/README.md b/README.md
index 331c00e..7caf13f 100644
--- a/README.md
+++ b/README.md
@@ -19,8 +19,8 @@ To deploy the resources, follow these steps:
 1. Run `terraform init` to initialize Terraform and install necessary dependencies.
 1. The default Terraform `backend` is set to `local`, meaning Terraform state is stored locally. This can be altered to any supported backend.
 1. Change the name of `terraform.tfvars.example` to `terraform.tfvars` and modify the variables to suit your setup. The `terraform.tfvars` file holds the configuration for the Terraform files.
-1. Execute `terraform plan -out=oidc.plan` to prepare for resource creation. This plan is saved in the `oidc.plan` file for the next step.
-1. Use `terraform apply oidc.plan` to initiate the creation of the resources.
+1. Execute `terraform plan -out=plan` to prepare for resource creation. This plan is saved in the `plan` file for the next step.
+1. Use `terraform apply plan` to initiate the creation of the resources.
 1. The configuration necessary for enabling Actions on GHES with OIDC in the GHES Management Console is provided at the conclusion of the process, as dictated by the outputs specified in `src/outputs.tf`.
 1. Additional instructions specific to each cloud provider are detailed further below.
 
@@ -28,6 +28,22 @@ To deploy the resources, follow these steps:
 
 Useful Information: This repository's configuration is verified through a GitHub Action in `.github/terraform.yml`, which ensures its accuracy.
 
+## Variables
+
+The Terraform configuration expects to receive a value for variables defined in `src/variables.tf`. The `terraform.tfvars.example` file can be used as a template. You can rename the `terraform.tfvars.example` file to `terraform.tfvars` and provide the following:
+
+- `GHES_INSTANCE_NAME`: Name of the GHES instance (e.g. my-ghes-instance)
+- `GHES_URL`: URL of the GHES instance without 'https://' (e.g. my-ghes-instance.com)
+- `AZURE_SUBSCRIPTION_ID`: ID of the Azure Subscription to use
+- `AZURE_REGION`: Region for the Azure Storage Account (defaults to `West Europe`)
+- `AZURE_STORAGE_ACCOUNT_TIER`: Tier for the Azure Storage Account (defaults to `Standard`)
+- `AZURE_STORAGE_ACCOUNT_REPLICATION_TYPE`: Replication Type for Azure Storage Account (defaults to `LRS`)
+- `AWS_REGION`: AWS Region for OIDC Resources (defaults to `eu-north-1`)
+- `AWS_OIDC_THUMBPRINT`: Thumbprint of the GHES Instance to for OIDC setup on AWS
+- `GCP_PROJECT_ID`: ID of the Google Cloud Project to use
+- `GCP_REGION`: Google Cloud Region for OIDC Resources (defaults to `EUROPE-WEST4`)
+
+
 ## Cloud Providers
 
 ### Azure
@@ -63,6 +79,5 @@ The required resources for Google Cloud are detailed in the `src/gcp.tf` file. T
 
 In the future, we could make things better by splitting the settings for different cloud services like Azure, AWS, and Google Cloud into their own separate parts. This would make it easier and more flexible to work with each one on its own. It would help users handle their settings for each cloud service by themselves. This way, if you're just working with one cloud service, things would be smoother.
 
-- Document variables
 - thumbprint generator script
 - add ssh keys to GHES
diff --git a/src/aws.tf b/src/aws.tf
index 22d7cac..26eeb62 100644
--- a/src/aws.tf
+++ b/src/aws.tf
@@ -12,3 +12,31 @@ resource "aws_iam_openid_connect_provider" "this" {
   client_id_list  = [local.aws_oidc_client_id]
   thumbprint_list = [local.aws_oidc_thumbprint]
 }
+
+# Roles & Policies for OIDC
+resource "aws_iam_role" "this" {
+  name = local.ghes_instance_name
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Federated = aws_iam_openid_connect_provider.this.arn
+        },
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Condition = {
+          StringEquals = {
+            "${aws_iam_openid_connect_provider.this.url}:aud" = "sts.amazonaws.com"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+  role       = aws_iam_role.this.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+}
diff --git a/src/outputs.tf b/src/outputs.tf
index d64592f..f965575 100644
--- a/src/outputs.tf
+++ b/src/outputs.tf
@@ -22,7 +22,7 @@ output "aws_s3_bucket" {
   value = aws_s3_bucket.this.bucket
 }
 output "aws_role" {
-  value = ""
+  value = aws_iam_role.this.arn
 }
 output "aws_region" {
   value = data.aws_region.this.name
diff --git a/src/variables.tf b/src/variables.tf
index 4402e96..f7cebe3 100644
--- a/src/variables.tf
+++ b/src/variables.tf
@@ -15,13 +15,13 @@ variable "AZURE_SUBSCRIPTION_ID" {
 
 variable "AZURE_REGION" {
   type        = string
-  description = "Azure: Region of the Storage Account"
+  description = "Azure: Region for the Storage Account"
   default     = "West Europe"
 }
 
 variable "AZURE_STORAGE_ACCOUNT_TIER" {
   type        = string
-  description = "Azure: Tier of the Storage Account"
+  description = "Azure: Tier for the Storage Account"
   default     = "Standard"
 }