Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid role when creating iam-github-oidc-role with specific branch for the target action #522

Closed
dejan-mladenovski opened this issue Oct 3, 2024 · 6 comments · Fixed by #523

Comments

@dejan-mladenovski
Copy link

dejan-mladenovski commented Oct 3, 2024

Description

When creating a role for GitHub OIDC IdP to perform GitHub Actions, if a specific branch needs to have permissions to execute, the policy that is created is invalid and the GitHub Action fails. Setting the subjects field will result the role to have a StringLike condition, not StringEquals. Running the action will timeout on the Assuming role with OIDC action. This works if I use a wildcard instead of a specific branch, but this has security implications.

  • [ x] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]: iam-github-oidc-role submodule, version 5.44.0

  • Terraform version: 1.9.4

  • Provider version(s):

provider registry.terraform.io/hashicorp/aws v5.69.0
provider registry.terraform.io/hashicorp/random v3.6.3
provider registry.terraform.io/hashicorp/tls v4.0.6

Reproduction Code [Required]

Steps to reproduce the behavior:

In Terraform setup the OIDC policy

module "iam_github_oidc_role" {
  source    = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role"
  version = "5.44.0"

  # This should be updated to suit your organization, repository, references/branches, etc.
  subjects = ["dejan-mladenovski/my-repo:ref:refs/heads/main"]
  name = "github-oidc-role"

  policies = {
    GitHubOidcPolicy = module.iam_github_oidc_policy.arn
  }
}

module "iam_github_oidc_policy" {
  source = "terraform-aws-modules/iam/aws//modules/iam-policy"
  version = "5.44.0"

  name = "github-oidc-policy"
  path        = "/"
  description = "Policy that allows permissions to assumed GitHub Action"

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [{
      Action = [
        "iam:Get*",
        "iam:List*",
        "ecr:*",
      ],
      Effect = "Allow",
      Resource = "*"
    }]
  })
}

Create a GitHub Action that assumes the role:

name: Replicate issue with GitHub OIDC
permissions:
  id-token: write   # This is required for requesting the JWT
  contents: read    # This is required for actions/checkout
on:
  workflow_dispatch:
jobs:
  replicate-issue:
    runs-on: ubuntu-latest
    environment: production

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: "arn:aws:iam::XXXXXXXXXX:role/github-oidc-role"
          role-session-name: github-action-session
          aws-region: "eu-central-1"

Expected behavior

When the action is executed it is expected to immediately assume the role and provide an output of aws sts get-caller-identity, but it is stuck on Assuming role with OIDC and it times out after a while.

Expected output:

Run aws-actions/configure-aws-credentials@v4
Assuming role with OIDC
Authenticated as assumedRoleId ARXXXXXXXXXXXX:github-action-session

Actual behavior

Actual output:

Run aws-actions/configure-aws-credentials@v4
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
.....
Assuming role with OIDC
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

Additional context

The role that is created is the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GithubOidcAuth",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::XXXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:dejan-mladenovski/my-repo:ref:refs/heads/main"
                },
                "ForAllValues:StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
                    "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com"
                }
            }
        }
    ]
}

The problem is that the exact name of the branch is specified but under the StringLike condition. The condition should be

"Condition": {
  "StringEquals": {
    "token.actions.githubusercontent.com:sub": "repo:dejan-mladenovski/my-repo:ref:refs/heads/main"
  },
  "ForAllValues:StringEquals": {
     "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
     "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com"
  }
}

If I configure the module's input variable subjects as this: subjects = ["dejan-mladenovski/my-repo:ref:refs/heands/main*"] this will result in the StringLike condition "token.actions.githubusercontent.com:sub": "repo:dejan-mladenovski/my-repo:ref:refs/heads/main*" and this works.

However, there is a security implication that a user can create a branch called main-vulnerable and introduce a vulnerability and still execute the Action.

A solution would be to check the string if contains * to configure a StringLike role, and if it does not contain * to produce a StringEquals role.

The official AWS documentation for configuring a role for GitHub ODIC identity provider has examples stating just that: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub
Other users managed to solve it with the policy change: aws-actions/configure-aws-credentials#1137 (comment)

@dejan-mladenovski dejan-mladenovski changed the title Invalid policy when creating iam-github-oidc-role with specific branch for the target action Invalid role when creating iam-github-oidc-role with specific branch for the target action Oct 3, 2024
@bryantbiggs
Copy link
Member

this isn't due to the module - you should open a ticket with GitHub for this because per their documentation, it should work.

I wouldn't give them the Terraform code in the case, but give them the generated IAM role trust policy JSON

@dejan-mladenovski
Copy link
Author

this isn't due to the module - you should open a ticket with GitHub for this because per their documentation, it should work.

I wouldn't give them the Terraform code in the case, but give them the generated IAM role trust policy JSON

@bryantbiggs I would argue that it is the module that needs to fix it.

The AWS documentation clearly states that:

  1. If you want to limit to a specific branch, use a StringEquals condition
  2. If you want to limit to multiple or allow all branches, use StringLike condition

The module only produces a StringLike trust policy (as seen in the source code)

According to the module documentation for the subjects input, specifying an exact branch should work, but it does not:

subjects list(string)
Description: List of GitHub OIDC subjects that are permitted by the trust policy. You do not need to prefix with `repo:` as this is provided. Example: `['my-org/my-repo:*', 'octo-org/octo-repo:ref:refs/heads/octo-branch']`

In the example, the second item in the list will not work.

@bryantbiggs
Copy link
Member

apologies, I mis-understood. we should be able to help with that by using a variable

@antonbabenko
Copy link
Member

This issue has been resolved in version 5.45.0 🎉

@dejan-mladenovski
Copy link
Author

dejan-mladenovski commented Oct 4, 2024

@bryantbiggs @antonbabenko appreciate the fast reaction! 🎉

Copy link

github-actions bot commented Nov 4, 2024

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants