diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md index be430824a5..b5b4be4216 100644 --- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md +++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md @@ -39,7 +39,7 @@ To add the {% data variables.product.prodname_dotcom %} OIDC provider to IAM, se To configure the role and trust in IAM, see the AWS documentation for ["Assuming a Role"](https://github.com/aws-actions/configure-aws-credentials#assuming-a-role) and ["Creating a role for web identity or OpenID connect federation"](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html). -Edit the trust relationship to add the `sub` field to the validation conditions. For example: +Edit the trust policy to add the `sub` field to the validation conditions. For example: ```json{:copy} "Condition": { @@ -50,6 +50,33 @@ Edit the trust relationship to add the `sub` field to the validation conditions. } ``` +In the following example, `ForAllValues` is used to match on multiple condition keys, and `StringLike` is used to match any ref in the specified repository. Note that `ForAllValues` is [overly permissive](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html) and should not be used on its own in an `Allow` effect. For this example, the inclusion of `StringLike` means that an empty set in `ForAllValues` will still not pass the condition: + +```json{:copy} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringLike": { + "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:*" + }, + "ForAllValues:StringEquals": { + "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com", + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" + } + } + } + ] +} +``` + + ## Updating your {% data variables.product.prodname_actions %} workflow To update your workflows for OIDC, you will need to make two changes to your YAML: @@ -79,7 +106,7 @@ env: AWS_REGION : "" # permission can be added at job level or workflow level permissions: - id-token: write + id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout jobs: S3PackageUpload: diff --git a/data/reusables/actions/oidc-permissions-token.md b/data/reusables/actions/oidc-permissions-token.md index 2f4d6d1f5e..3c3b135f52 100644 --- a/data/reusables/actions/oidc-permissions-token.md +++ b/data/reusables/actions/oidc-permissions-token.md @@ -5,11 +5,19 @@ The `id-token: write` setting allows the JWT to be requested from {% data variab - Using environment variables on the runner (`ACTIONS_ID_TOKEN_REQUEST_URL` and `ACTIONS_ID_TOKEN_REQUEST_TOKEN`). - Using `getIDToken()` from the Actions toolkit. +If you need to fetch an OIDC token for a workflow, then the permission can be set at the workflow level. For example: + +```yaml{:copy} +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout +``` + If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example: ```yaml{:copy} permissions: - id-token: write + id-token: write # This is required for requesting the JWT ``` You may need to specify additional permissions here, depending on your workflow's requirements. diff --git a/data/reusables/actions/runner-debug-description.md b/data/reusables/actions/runner-debug-description.md index 706ffae0d2..b90948ae47 100644 --- a/data/reusables/actions/runner-debug-description.md +++ b/data/reusables/actions/runner-debug-description.md @@ -1 +1 @@ -This is set only if [debug logging](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging) is enabled, and always has the value of `1`. It can be useful as an indicator to enable additional debugging or verbose logging in your own job steps. +This is set only if [debug logging](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging) is enabled, and always has the value of `1`. It can be useful as an indicator to enable additional debugging or verbose logging in your own job steps.