Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgraded to new GH OIDC API #284

Merged
merged 1 commit into from
Oct 18, 2021
Merged

upgraded to new GH OIDC API #284

merged 1 commit into from
Oct 18, 2021

Conversation

richardhboyd
Copy link

Issue #, if available:

Description of changes:

  • Updated to new GH OIDC API
  • Used the GITHUB_ACTIONS environment variable to check if we're in a self-hosted runner or not (this appears to be teh recommended practice from GH) instead of guessing based on other set/un-set env variables
  • Updated Readme with new OIDC Audiences.
  • Tested this by running the action from my fork

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@richardhboyd richardhboyd mentioned this pull request Oct 7, 2021
Closed
@mike-stewart
Copy link

@richardhboyd When do you expect this will ship?

@vikram-katkar-discovery vikram-katkar-discovery mentioned this pull request Oct 15, 2021
Closed
paragbhingre
paragbhingre approved these changes Oct 18, 2021
View reviewed changes
Copy link
Contributor

@paragbhingre paragbhingre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🎉

@mergify mergify bot merged commit 036a4a1 into aws-actions:master Oct 18, 2021
@ahawkins ahawkins mentioned this pull request Oct 20, 2021
Closed
@snebjorn
Copy link

When can we expect this to be released so we don't have to rely on aws-actions/configure-aws-credentials@master as that isn't recommended by GitHub

@kellertk kellertk mentioned this pull request May 16, 2022
Closed
rtyley added a commit to guardian/cdk that referenced this pull request Jun 23, 2022
@rtyley
Fix 'Incorrect token audience' error for GH OIDC
10db93b 
This is an update to the construct that creates IAM resources for GitHub
Actions, first introduced with #823
in early October 2021.

Apparently the `ClientIdList` field should no longer be `sigstore`, as
of 19th October 2021:

aws-actions/configure-aws-credentials#291
aws-actions/configure-aws-credentials#280 (comment)
aws-actions/configure-aws-credentials#284

The new value is `sts.amazonaws.com`, which I think corresponds to this
line in the docs:

> For the "Audience": Use sts.amazonaws.com if you are using the official action.
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws

With the old value of `sigstore` in the `AWS::IAM::OIDCProvider` `ClientIdList` field,
running the `aws-actions/configure-aws-credentials` GitHub Action will give you
a "Error: Incorrect token audience" error:

https://github.com/guardian/facia-scala-client/runs/7025740057?check_suite_focus=true#step:3:6
@rtyley rtyley mentioned this pull request Jun 23, 2022
Merged
rtyley added a commit to guardian/cdk that referenced this pull request Jun 23, 2022
@rtyley
fix: 'Incorrect token audience' error for GH OIDC
cef0bfa 
This is an update to the construct that creates IAM resources for GitHub
Actions, first introduced with #823
in early October 2021.

Apparently the `ClientIdList` field should no longer be `sigstore`, as
of 19th October 2021:

aws-actions/configure-aws-credentials#291
aws-actions/configure-aws-credentials#280 (comment)
aws-actions/configure-aws-credentials#284

The new value is `sts.amazonaws.com`, which I think corresponds to this
line in the docs:

> For the "Audience": Use sts.amazonaws.com if you are using the official action.
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws

With the old value of `sigstore` in the `AWS::IAM::OIDCProvider` `ClientIdList` field,
running the `aws-actions/configure-aws-credentials` GitHub Action will give you
a "Error: Incorrect token audience" error:

https://github.com/guardian/facia-scala-client/runs/7025740057?check_suite_focus=true#step:3:6
rtyley added a commit to guardian/cdk that referenced this pull request Jun 23, 2022
@rtyley
fix: 'Incorrect token audience' error for GH OIDC
36a4bdf 
This is an update to the construct that creates IAM resources for GitHub
Actions, first introduced with #823
in early October 2021.

Apparently the `ClientIdList` field should no longer be `sigstore`, as
of 19th October 2021:

aws-actions/configure-aws-credentials#291
aws-actions/configure-aws-credentials#280 (comment)
aws-actions/configure-aws-credentials#284

The new value is `sts.amazonaws.com`, which I think corresponds to this
line in the docs:

> For the "Audience": Use sts.amazonaws.com if you are using the official action.
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws

With the old value of `sigstore` in the `AWS::IAM::OIDCProvider` `ClientIdList` field,
running the `aws-actions/configure-aws-credentials` GitHub Action will give you
a "Error: Incorrect token audience" error:

https://github.com/guardian/facia-scala-client/runs/7025740057?check_suite_focus=true#step:3:6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paragbhingre paragbhingre paragbhingre approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@richardhboyd @mike-stewart @snebjorn @paragbhingre