Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen

Using a one role for OpenID Connect and GitHub actions, but different permissions

0

Is it possible to have a single IAM role for OpenID Connect, which allows multiple repos, or even the entire GitHub org to assume it, yet have different permissions by repo?

For example, I have a trust policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::1234567890:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "ForAnyValue:StringEquals": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:org/foo:pull_request",
                        "repo:org/bar:pull_request"
                    ]
                }
            }
        }
    ]
}

And I'd like to grant the repo org/foo one set of permissions and org/bar another.

The idea is to have a single "well-known" role, which we can also hard code, so that we wouldn't have to create separate roles for each repo.

See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

profile picture
gefragt vor 10 Monaten426 Aufrufe
1 Antwort
1

You can use conditions in IAM policies to differentiate permissions based on the context of the AssumeRoleWithWebIdentity request. The policy can inspect the token.actions.githubusercontent.com:sub claim from the GitHub Actions token to apply different permissions based on the repository making the request. You can attach these policies to your single IAM role.

However, remember that this approach doesn't grant entirely separate sets of permissions for each repo. Instead, it applies conditions to the permissions based on which repo is making the request. Below is an example of how you can structure your IAM policies:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3ActionsForRepoFoo",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
                // ... other S3 actions
            ],
            "Resource": "arn:aws:s3:::example-bucket-for-foo/*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/repo": "org/foo"
                }
            }
        },
        {
            "Sid": "AllowEC2ActionsForRepoBar",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
                // ... other EC2 actions
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/repo": "org/bar"
                }
            }
        }
    ]
}

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!

profile picture
EXPERTE
beantwortet vor 10 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen