AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約

Using a one role for OpenID Connect and GitHub actions, but different permissions

0

Is it possible to have a single IAM role for OpenID Connect, which allows multiple repos, or even the entire GitHub org to assume it, yet have different permissions by repo?

For example, I have a trust policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::1234567890:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "ForAnyValue:StringEquals": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:org/foo:pull_request",
                        "repo:org/bar:pull_request"
                    ]
                }
            }
        }
    ]
}

And I'd like to grant the repo org/foo one set of permissions and org/bar another.

The idea is to have a single "well-known" role, which we can also hard code, so that we wouldn't have to create separate roles for each repo.

See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

profile picture
質問済み 10ヶ月前426ビュー
1回答
1

You can use conditions in IAM policies to differentiate permissions based on the context of the AssumeRoleWithWebIdentity request. The policy can inspect the token.actions.githubusercontent.com:sub claim from the GitHub Actions token to apply different permissions based on the repository making the request. You can attach these policies to your single IAM role.

However, remember that this approach doesn't grant entirely separate sets of permissions for each repo. Instead, it applies conditions to the permissions based on which repo is making the request. Below is an example of how you can structure your IAM policies:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3ActionsForRepoFoo",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
                // ... other S3 actions
            ],
            "Resource": "arn:aws:s3:::example-bucket-for-foo/*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/repo": "org/foo"
                }
            }
        },
        {
            "Sid": "AllowEC2ActionsForRepoBar",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
                // ... other EC2 actions
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/repo": "org/bar"
                }
            }
        }
    ]
}

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!

profile picture
エキスパート
回答済み 10ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ