Merge branch 'main' into repo-sync

2025-12-30 03:01:36 -05:00 · 2022-09-09 01:44:00 -04:00
parent 9a7b3a9ccb 52459c5680
commit 9895385068
3 changed files with 39 additions and 4 deletions
--- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
+++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
@@ -39,7 +39,7 @@ To add the {% data variables.product.prodname_dotcom %} OIDC provider to IAM, se

 To configure the role and trust in IAM, see the AWS documentation for ["Assuming a Role"](https://github.com/aws-actions/configure-aws-credentials#assuming-a-role) and ["Creating a role for web identity or OpenID connect federation"](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html).

-Edit the trust relationship to add the `sub` field to the validation conditions. For example:
+Edit the trust policy to add the `sub` field to the validation conditions. For example:

 ```json{:copy}
 "Condition": {
@@ -50,6 +50,33 @@ Edit the trust relationship to add the `sub` field to the validation conditions.
 }
 ```

+In the following example, `ForAllValues` is used to match on multiple condition keys, and `StringLike` is used to match any ref in the specified repository. Note that `ForAllValues` is [overly permissive](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html) and should not be used on its own in an `Allow` effect. For this example, the inclusion of `StringLike` means that an empty set in `ForAllValues` will still not pass the condition:
+
+```json{:copy}
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringLike": {
+                    "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:*"
+                },
+                "ForAllValues:StringEquals": {
+                    "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com",
+                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+                }
+            }
+        }
+    ]
+}
+```
+
+
 ## Updating your {% data variables.product.prodname_actions %} workflow

 To update your workflows for OIDC, you will need to make two changes to your YAML:
@@ -79,7 +106,7 @@ env:
  AWS_REGION : "<example-aws-region>"
 # permission can be added at job level or workflow level    
 permissions:
-      id-token: write
+      id-token: write   # This is required for requesting the JWT
      contents: read    # This is required for actions/checkout
 jobs:
  S3PackageUpload:
--- a/data/reusables/actions/oidc-permissions-token.md
+++ b/data/reusables/actions/oidc-permissions-token.md
@@ -5,11 +5,19 @@ The `id-token: write` setting allows the JWT to be requested from {% data variab
 - Using environment variables on the runner (`ACTIONS_ID_TOKEN_REQUEST_URL` and `ACTIONS_ID_TOKEN_REQUEST_TOKEN`).
 - Using `getIDToken()` from the Actions toolkit.

+If you need to fetch an OIDC token for a workflow, then the permission can be set at the workflow level. For example:
+
+```yaml{:copy}
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
+```
+
 If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example:

 ```yaml{:copy}
 permissions:
-  id-token: write
+  id-token: write # This is required for requesting the JWT
 ```

 You may need to specify additional permissions here, depending on your workflow's requirements. 
--- a/data/reusables/actions/runner-debug-description.md
+++ b/data/reusables/actions/runner-debug-description.md
@@ -1 +1 @@
-This is set only if [debug logging](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging) is enabled, and always has the value of `1`. It can be useful as an indicator to enable additional debugging or verbose logging in your own job steps.
+This is set only if [debug logging](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging) is enabled, and always has the value of `1`. It can be useful as an indicator to enable additional debugging or verbose logging in your own job steps.