使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款

Using a one role for OpenID Connect and GitHub actions, but different permissions

0

Is it possible to have a single IAM role for OpenID Connect, which allows multiple repos, or even the entire GitHub org to assume it, yet have different permissions by repo?

For example, I have a trust policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::1234567890:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "ForAnyValue:StringEquals": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:org/foo:pull_request",
                        "repo:org/bar:pull_request"
                    ]
                }
            }
        }
    ]
}

And I'd like to grant the repo org/foo one set of permissions and org/bar another.

The idea is to have a single "well-known" role, which we can also hard code, so that we wouldn't have to create separate roles for each repo.

See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

profile picture
已提問 10 個月前檢視次數 419 次
1 個回答
1

You can use conditions in IAM policies to differentiate permissions based on the context of the AssumeRoleWithWebIdentity request. The policy can inspect the token.actions.githubusercontent.com:sub claim from the GitHub Actions token to apply different permissions based on the repository making the request. You can attach these policies to your single IAM role.

However, remember that this approach doesn't grant entirely separate sets of permissions for each repo. Instead, it applies conditions to the permissions based on which repo is making the request. Below is an example of how you can structure your IAM policies:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3ActionsForRepoFoo",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
                // ... other S3 actions
            ],
            "Resource": "arn:aws:s3:::example-bucket-for-foo/*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/repo": "org/foo"
                }
            }
        },
        {
            "Sid": "AllowEC2ActionsForRepoBar",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
                // ... other EC2 actions
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/repo": "org/bar"
                }
            }
        }
    ]
}

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!

profile picture
專家
已回答 10 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南