1回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
You can use conditions in IAM policies to differentiate permissions based on the context of the AssumeRoleWithWebIdentity request. The policy can inspect the token.actions.githubusercontent.com:sub claim from the GitHub Actions token to apply different permissions based on the repository making the request. You can attach these policies to your single IAM role.
However, remember that this approach doesn't grant entirely separate sets of permissions for each repo. Instead, it applies conditions to the permissions based on which repo is making the request. Below is an example of how you can structure your IAM policies:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3ActionsForRepoFoo", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" // ... other S3 actions ], "Resource": "arn:aws:s3:::example-bucket-for-foo/*", "Condition": { "StringLike": { "aws:RequestTag/repo": "org/foo" } } }, { "Sid": "AllowEC2ActionsForRepoBar", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances" // ... other EC2 actions ], "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/repo": "org/bar" } } } ] }
If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!