En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

IAM ODIC attaching existing role

0

I am creating ODIC for github but after creating ODIC Attachting existing IAM role does not work only creating new IAM roles. Once you click on add existing role it takes you to role page and that's it.

Enter image description here

Enter image description here

Enter image description here

Sujets
Sécurité, identité et conformité
Balises
Gestion des identités et des accès AWS
Langue
English
Owais
demandé il y a 2 mois135 vues
3 réponses
1

That's an expected behavior. When you want to configure an existing role to be assumable by the OIDC federation provider, you just need to allow it on the role trust policy. So, when you click on the button "Use an existing role" you get redirected to the IAM Role web page. Then you search for the role you want to allow, and then edit the trust policy. Your new trust policy, will look like something like this:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {"Federated": "cognito-identity.amazonaws.com"},
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringEquals": {"cognito-identity.amazonaws.com:aud": "us-east-2:12345678-abcd-abcd-abcd-123456"},
            "ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "unauthenticated"}
        }
    }
}

Where you will have to adapt your AUD to align it to your OIDC provider created in IAM. You have all the details described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html

Hope this helps.

Best.

profile pictureAWS
JuanEn_G
répondu il y a 2 mois
profile picture
EXPERT
Gary Mclean
vérifié il y a 2 mois
  • Owais
    il y a 2 mois

    Yes, I get redirected to IAM page role selection page there But How I select role there is only option to create Role not assign to ODIC i created. Trust policy is fine and I tested with creating new role. But I want to use existing role which dont seems to be possible

0

Hi Owais,

It seems like there might be a bug or a permissions issue. You could try clearing your browser cache, using a different browser, or checking the role's trust relationship settings.

profile picture
Vitor Castellani
répondu il y a 2 mois
  • Owais
    il y a 2 mois

    Could be bug as I have tried different browsers and Trust relation also works(tested with creating new role)

0

I did that recently in a post I wrote: https://medium.com/aws-in-plain-english/no-long-term-aws-credentials-in-your-pipeline-secure-github-actions-0420127b89ea.

For AWS reference, you can look here: https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/?source=post_page-----0420127b89ea--------------------------------

profile picture
EXPERT
Antonio_Lagrotteria
répondu il y a 2 mois
profile picture
EXPERT
Gary Mclean
vérifié il y a 2 mois
  • Owais
    il y a 2 mois

    In post you are creating new role I am facing issue with using Existing one

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents