AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관

Using a one role for OpenID Connect and GitHub actions, but different permissions

0

Is it possible to have a single IAM role for OpenID Connect, which allows multiple repos, or even the entire GitHub org to assume it, yet have different permissions by repo?

For example, I have a trust policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::1234567890:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "ForAnyValue:StringEquals": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:org/foo:pull_request",
                        "repo:org/bar:pull_request"
                    ]
                }
            }
        }
    ]
}

And I'd like to grant the repo org/foo one set of permissions and org/bar another.

The idea is to have a single "well-known" role, which we can also hard code, so that we wouldn't have to create separate roles for each repo.

See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

profile picture
질문됨 10달 전414회 조회
1개 답변
1

You can use conditions in IAM policies to differentiate permissions based on the context of the AssumeRoleWithWebIdentity request. The policy can inspect the token.actions.githubusercontent.com:sub claim from the GitHub Actions token to apply different permissions based on the repository making the request. You can attach these policies to your single IAM role.

However, remember that this approach doesn't grant entirely separate sets of permissions for each repo. Instead, it applies conditions to the permissions based on which repo is making the request. Below is an example of how you can structure your IAM policies:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3ActionsForRepoFoo",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
                // ... other S3 actions
            ],
            "Resource": "arn:aws:s3:::example-bucket-for-foo/*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/repo": "org/foo"
                }
            }
        },
        {
            "Sid": "AllowEC2ActionsForRepoBar",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
                // ... other EC2 actions
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/repo": "org/bar"
                }
            }
        }
    ]
}

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!

profile picture
전문가
답변함 10달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠