-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid role when creating iam-github-oidc-role with specific branch for the target action #522
Comments
this isn't due to the module - you should open a ticket with GitHub for this because per their documentation, it should work. I wouldn't give them the Terraform code in the case, but give them the generated IAM role trust policy JSON |
@bryantbiggs I would argue that it is the module that needs to fix it. The AWS documentation clearly states that:
The module only produces a According to the module documentation for the
In the example, the second item in the list will not work. |
apologies, I mis-understood. we should be able to help with that by using a variable |
This issue has been resolved in version 5.45.0 🎉 |
@bryantbiggs @antonbabenko appreciate the fast reaction! 🎉 |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
When creating a role for GitHub OIDC IdP to perform GitHub Actions, if a specific branch needs to have permissions to execute, the policy that is created is invalid and the GitHub Action fails. Setting the
subjects
field will result the role to have aStringLike
condition, notStringEquals
. Running the action will timeout on theAssuming role with OIDC
action. This works if I use a wildcard instead of a specific branch, but this has security implications.Versions
Module version [Required]:
iam-github-oidc-role
submodule, version5.44.0
Terraform version:
1.9.4
Provider version(s):
Reproduction Code [Required]
Steps to reproduce the behavior:
In Terraform setup the OIDC policy
Create a GitHub Action that assumes the role:
Expected behavior
When the action is executed it is expected to immediately assume the role and provide an output of
aws sts get-caller-identity
, but it is stuck onAssuming role with OIDC
and it times out after a while.Expected output:
Actual behavior
Actual output:
Additional context
The role that is created is the following:
The problem is that the exact name of the branch is specified but under the
StringLike
condition. The condition should beIf I configure the module's input variable
subjects
as this:subjects = ["dejan-mladenovski/my-repo:ref:refs/heands/main*"]
this will result in the StringLike condition"token.actions.githubusercontent.com:sub": "repo:dejan-mladenovski/my-repo:ref:refs/heads/main*"
and this works.However, there is a security implication that a user can create a branch called
main-vulnerable
and introduce a vulnerability and still execute the Action.A solution would be to check the string if contains
*
to configure aStringLike
role, and if it does not contain*
to produce aStringEquals
role.The official AWS documentation for configuring a role for GitHub ODIC identity provider has examples stating just that: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub
Other users managed to solve it with the policy change: aws-actions/configure-aws-credentials#1137 (comment)
The text was updated successfully, but these errors were encountered: