Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github Actions OIDC IAM Role Trust Relation #1456

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Github Actions OIDC IAM Role Trust Relation #1456

wants to merge 4 commits into from

Conversation

bcpenta
Copy link
Contributor

@bcpenta bcpenta commented Dec 19, 2024

Background

This policy ensures secure configuration of AWS IAM roles used with GitHub Actions by validating trust relationships. It enforces restrictions on the Principal, aud (audience), and sub (subject) conditions to prevent unauthorized access to AWS resources. Misconfigurations such as wildcards in the Principal or overly permissive sub conditions can lead to potential exploitation, so this policy mitigates such risks by enforcing proper validation rules.

Changes

  • Validates the Principal.Federated field to ensure it is either GitHub's OIDC provider (oidc- provider/token.actions.githubusercontent.com) or skips validation for non-GitHub principals. It rejects wildcards as insecure.
  • Ensures Condition.StringEquals for aud is correctly set to sts.amazonaws.com.
  • Enforces scoping of Condition.StringLike or Condition.StringEquals for sub to specific repositories or environments.
    Disallows overly permissive wildcards in sub.

Testing

  • Valid GitHub Actions Trust Relationship: Passes for properly configured GitHub Actions trust relationships.
  • Missing Audience Condition: Fails when aud condition is missing.
  • Missing Subject Restriction: Fails when sub condition is absent.
  • Overly Permissive Wildcard in Subject: Flags overly permissive sub wildcards.
  • Valid Subject Restriction with Specific Environment: Passes for correctly scoped sub with environments.
  • Invalid Principal as Wildcard: Fails when Principal.Federated is a wildcard (*).
  • Non-GitHub OIDC Principal: Ignore non-GitHub OIDC providers like accounts.google.com/cognito

I have added scenarios I could think of, let me know if any additional test cases are required.

@bcpenta bcpenta requested a review from a team as a code owner December 19, 2024 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@bcpenta