OIDC Token claims issue in AWS if we have environments in GitHub repo #454
Comments
venkyio
changed the title
|
|
I think its a limitation of assumeRoleWithWebIdentity https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/STS.html#assumeRoleWithWebIdentity-property |
|
I would have thought that this is what |
|
There are a few things going on here. First, the subject claim will be the environment if one is specified, so you cannot filter by branch through Second, AWS doesn't currently support the Third, to my knowledge, Github does not support custom claims. Here are the listed supported claims. It doesn't seem to me that the API mentioned above would help out here, though I would be happy to be wrong. If Github supported custom claims, we'd be able to encode them in the jwt for AWS to parse So at the moment, this unfortunately seems impossible to specify in the trust policy when using OIDC. However if AWS supports more claims, or if Github allows to specify custom claims, then this would be possible. I'll keep this issue open for visibility, and in case anyone has additional info which may help us find a workaround I'm unaware of. Thanks everyone for the discussion here! |
peterwoodworth
added
service-limitation
|
@venkyio I was able to get it working after customizing the OIDC subject claim, for some reason though the org level is not working so had to do it on a per-repo basis, and to be clear it is just the subject claim that you are customizing, as @peterwoodworth mentioned other claims are not supported by AWS. example: claims.json example contents: {"include_claim_keys":["repo","context","workflow","job_workflow_ref","repository_visibility"],"use_default":false}If you check your CloudTrail logs you should see So an example policy for this custom claim template could be: {
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::xxx:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:org_name/repo_name:pull_request:workflow:workflow_name:job_workflow_ref:*:repository_visibility:private"
}
}
}
]
}From what I can tell all the claims listed here are supported so you could try adding |
|
Hello @robgott, could you please elaborate?
I hope you have attempted to opt-in at the repo level after setting a custom template at the org level. It is turned off by default. |
@kchandra548 - where do you configure that setting? To add on to the post above yours, I also tried configuring the default sub claim on the org level via API. However, the same claims are being sent with the token- e.g. sending the environment instead of the ref which I specified. |
|
@kchandra548 I'm not exactly sure how I opt-in after reading the relevant docs and API reference but I have certainly tried setting |
|
Maybe the Set Custom template at the Org level using API. By default, this will not be used at the repo level. To use the custom template set by the org, the repo needs to opt-in using this API. |
|
|
@kchandra548 thanks for clarifying that behavior, have tested and works 🥳 |
|
@venkyio as discussed above I think you can achieve what you want by customizing the subject claim and including some combination of |
|
Hi guys, I have a similar problem. I am trying to customize the This is my request body: I am not using orgs, any idea? |
Hi, I found the problem, I was using a personal access token to invoke the OIDC REST API with the Maybe the GitHub documentation needs an update to clarify which scope is needed to invoke the OIDC API. |
@robgott Thank you . Does this work with environments configured for GitHub repo ? is it possible paste TrustPolicies you used for Main Branch and other branches based on this ? |
|
These quirks are now documented in the README https://github.com/aws-actions/configure-aws-credentials#claims-and-scoping-permissions |
|
** Note ** |
At the moment, this action sends subject claim for the AWS and we use this as the trust.
If we want to create an IAM role for main branch and one role for all other branches.
The way to do this is via condition in IAM role as specified here
For Main
For All Branches
but the issue occurs when we use environment in GitHub repo.
In this case the subject is sent as
repo:<orgName/repoName>:environment:<environmentName>examplerepo:octo-org/octo-repo:environment:Productionas specified hereBecause of this we cannot specify the main branch in the condition . We can fix issue if we add the following
refclaim to the conditionbut above is not working as the
refclaim is not sent to awsThe text was updated successfully, but these errors were encountered: