Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Remove warning about using long-term credentials #926

Merged
merged 2 commits into from
Dec 6, 2023
Merged

chore: Remove warning about using long-term credentials #926

merged 2 commits into from
Dec 6, 2023

Conversation

tim-finnigan
Copy link
Contributor

Issue #, if available: #885

Description of changes: #871 added a warning about using long-term credentials. Upon discussion with the team, we think that this should be called out in the README rather than in a warning. And there is already a recommendation in the README to use OIDC to get short-lived credentials:

We recommend using GitHub's OIDC provider to get short-lived AWS credentials needed for your actions.

Although long-term credentials may not be recommended in most cases, the AWS IAM documentation does note:

There are specific use cases that require long-term credentials with IAM users in AWS.

Ultimately Identity and Access Management is the customer's responsibility in the Shared Responsibility Model. We can recommend best practices but should be cautious about adding warnings that may not be universally applicable.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@tim-finnigan tim-finnigan changed the title Remove warning about using long-term credentials chore: Remove warning about using long-term credentials Nov 21, 2023
@tim-finnigan tim-finnigan linked an issue Nov 21, 2023 that may be closed by this pull request
Action give warning about long term credentials when using InstanceRole permissions on self-hosted runners #885
Closed
@tim-finnigan tim-finnigan marked this pull request as ready for review November 21, 2023 22:55
kellertk
kellertk requested changes Nov 21, 2023
View reviewed changes
README.md Outdated Show resolved Hide resolved
dist/index.js Outdated Show resolved Hide resolved
@tim-finnigan tim-finnigan mentioned this pull request Nov 21, 2023
Closed
1 task
@jplock
Copy link
Contributor

jplock commented Nov 22, 2023
edited

Can we ask the IAM team if they’ll ever change those prefixes instead of reverting this warning?

The largest attack vector we see within AWS Startups is accounts being compromised due to mishandled access keys. We actively want to discourage their usage and GitHub Actions is a source of key exposure.

Before the short link was removed in #905, there were 741 clicks on the link to read about OIDC.

@mergify mergify bot merged commit 6129f32 into main Dec 6, 2023
8 checks passed
@haooliveira84
Copy link

@kellertk when this PR will be part of v4?

@tim-finnigan tim-finnigan mentioned this pull request Jan 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kellertk kellertk kellertk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Action give warning about long term credentials when using InstanceRole permissions on self-hosted runners
4 participants
@tim-finnigan @jplock @haooliveira84 @kellertk