Octomerger Bot
@@ -38,12 +38,11 @@ To add the {% data variables.product.prodname_dotcom %} OIDC provider to IAM, se
|
||||
|
||||
To configure the role and trust in IAM, see the AWS documentation for ["Assuming a Role"](https://github.com/aws-actions/configure-aws-credentials#assuming-a-role) and ["Creating a role for web identity or OpenID connect federation"](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html).
|
||||
|
||||
By default, the validation only includes the audience (`aud`) condition, so you must manually add a subject (`sub`) condition. Edit the trust relationship to add the `sub` field to the validation conditions. For example:
|
||||
Edit the trust relationship to add the `sub` field to the validation conditions. For example:
|
||||
|
||||
```json{:copy}
|
||||
"Condition": {
|
||||
"StringEquals": {
|
||||
"token.actions.githubusercontent.com:aud": "https://github.com/octo-org",
|
||||
"token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
|
||||
}
|
||||
}
|
||||
@@ -86,7 +85,7 @@ env:
|
||||
# permission can be added at job level or workflow level
|
||||
permissions:
|
||||
id-token: write
|
||||
contents: write # This is required for actions/checkout@v1
|
||||
contents: read # This is required for actions/checkout@v1
|
||||
jobs:
|
||||
S3PackageUpload:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
Reference in New Issue
Block a user