Question, how to invalidate assumed role cred? #841
Comments
retzero
added
bug
|
Hey @retzero, In your workflow after all your defined steps have completed, you should see a "Post <name of configure aws credentials step>" step. In this cleanup step, we unset all AWS environment variables. Check out the file here https://github.com/aws-actions/configure-aws-credentials/blob/main/src/cleanup/index.ts Hope this answers your question, let me know if I can clarify anything else |
peterwoodworth
added
response-requested
|
While what Peter said will happen - we remove all the credentials from the environment - the temporary credentials that we fetch are still technically valid. If your workflow takes these credentials and then exports them somewhere else, they can still be used to make requests for the duration you've specified. Actually invalidating the credentials is more involved, and requires making changes to the associated IAM roles. Please see this documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_disable-perms.html |
github-actions
bot
removed
the
response-requested
|
Thanks @peterwoodworth @kellertk |
|
Comments on closed issues are hard for our team to see. |
Describe the bug
Hello.
Do you invalidate the OIDC session token (I'm not sure this is the right word?) after the workflows or job finished even if the duration has not been expired?
Or how can I manually trigger invalidate procedure?
Expected Behavior
Session token should not be reused if the workflows finished.
Current Behavior
n/a
Reproduction Steps
n/a
Possible Solution
No response
Additional Information/Context
No response
The text was updated successfully, but these errors were encountered: