From ba382b203980562fa588267382920979e3733b3d Mon Sep 17 00:00:00 2001
From: Ari Pollak <aripollak@users.noreply.github.com>
Date: Tue, 30 Nov 2021 05:34:18 -0500
Subject: [PATCH] Tweak AWS OIDC instructions (#11621)

* Tweak AWS OIDC instructions

* Only contents: read is necessary
* Remove :aud filter because it's set to "sts.amazonaws.com" when using aws-actions/configure-aws-credentials

* Update to be valid JSON, and actually remove :aud

Co-authored-by: hubwriter <hubwriter@github.com>
---
 .../configuring-openid-connect-in-amazon-web-services.md     | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
index af36775458..d7dcd59852 100644
--- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
+++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
@@ -38,12 +38,11 @@ To add the {% data variables.product.prodname_dotcom %} OIDC provider to IAM, se
 
 To configure the role and trust in IAM, see the AWS documentation for ["Assuming a Role"](https://github.com/aws-actions/configure-aws-credentials#assuming-a-role) and ["Creating a role for web identity or OpenID connect federation"](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html).
 
-By default, the validation only includes the audience (`aud`) condition, so you must manually add a subject (`sub`) condition. Edit the trust relationship to add the `sub` field to the validation conditions. For example:
+Edit the trust relationship to add the `sub` field to the validation conditions. For example:
 
 ```json{:copy}
 "Condition": {
   "StringEquals": {
-    "token.actions.githubusercontent.com:aud": "https://github.com/octo-org",
     "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
   }
 }
@@ -86,7 +85,7 @@ env:
 # permission can be added at job level or workflow level    
 permissions:
       id-token: write
-      contents: write    # This is required for actions/checkout@v1
+      contents: read    # This is required for actions/checkout@v1
 jobs:
   S3PackageUpload:
     runs-on: ubuntu-latest