From 59d216730a0bd4e56da1ab542ca7b3ae959d907f Mon Sep 17 00:00:00 2001 From: Bjorn Olsen Date: Wed, 10 Aug 2022 15:44:37 +0200 Subject: [PATCH 1/2] Clarify OIDC process for AWS --- .gitignore | 1 + ...g-openid-connect-in-amazon-web-services.md | 36 +++++++++++++++++-- .../actions/oidc-permissions-token.md | 10 +++++- .../actions/runner-debug-description.md | 2 +- 4 files changed, 45 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 30492bcbc5..51db5860ad 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ .DS_Store .env .vscode/settings.json +*.code-workspace .idea/ /node_modules/ npm-debug.log diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md index be430824a5..c37cab61dc 100644 --- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md +++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md @@ -39,7 +39,8 @@ To add the {% data variables.product.prodname_dotcom %} OIDC provider to IAM, se To configure the role and trust in IAM, see the AWS documentation for ["Assuming a Role"](https://github.com/aws-actions/configure-aws-credentials#assuming-a-role) and ["Creating a role for web identity or OpenID connect federation"](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html). -Edit the trust relationship to add the `sub` field to the validation conditions. For example: +Edit the trust policy to add the `sub` field to the validation conditions. +For example: ```json{:copy} "Condition": { @@ -50,6 +51,37 @@ Edit the trust relationship to add the `sub` field to the validation conditions. } ``` +A more complete, practical example is shown below. + +Here `ForAllValues` is used to match on multiple condition keys and `StringLike` is used to match any ref on the specified repo. +Note that `ForAllValues` is [overly permissive](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html) and should not be used alone on an `Allow` effect. +In this example, the inclusion of `StringLike` means that an empty set in `ForAllValues` will still not pass the condition. + +```json{:copy} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringLike": { + "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:*" + }, + "ForAllValues:StringEquals": { + "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com", + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" + } + } + } + ] +} +``` + + ## Updating your {% data variables.product.prodname_actions %} workflow To update your workflows for OIDC, you will need to make two changes to your YAML: @@ -79,7 +111,7 @@ env: AWS_REGION : "" # permission can be added at job level or workflow level permissions: - id-token: write + id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout jobs: S3PackageUpload: diff --git a/data/reusables/actions/oidc-permissions-token.md b/data/reusables/actions/oidc-permissions-token.md index 2f4d6d1f5e..3c3b135f52 100644 --- a/data/reusables/actions/oidc-permissions-token.md +++ b/data/reusables/actions/oidc-permissions-token.md @@ -5,11 +5,19 @@ The `id-token: write` setting allows the JWT to be requested from {% data variab - Using environment variables on the runner (`ACTIONS_ID_TOKEN_REQUEST_URL` and `ACTIONS_ID_TOKEN_REQUEST_TOKEN`). - Using `getIDToken()` from the Actions toolkit. +If you need to fetch an OIDC token for a workflow, then the permission can be set at the workflow level. For example: + +```yaml{:copy} +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout +``` + If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example: ```yaml{:copy} permissions: - id-token: write + id-token: write # This is required for requesting the JWT ``` You may need to specify additional permissions here, depending on your workflow's requirements. diff --git a/data/reusables/actions/runner-debug-description.md b/data/reusables/actions/runner-debug-description.md index 706ffae0d2..b90948ae47 100644 --- a/data/reusables/actions/runner-debug-description.md +++ b/data/reusables/actions/runner-debug-description.md @@ -1 +1 @@ -This is set only if [debug logging](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging) is enabled, and always has the value of `1`. It can be useful as an indicator to enable additional debugging or verbose logging in your own job steps. +This is set only if [debug logging](/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging) is enabled, and always has the value of `1`. It can be useful as an indicator to enable additional debugging or verbose logging in your own job steps. From 30de2a042e004300aad246c10392dd8c759b9872 Mon Sep 17 00:00:00 2001 From: Martin Lopes Date: Fri, 9 Sep 2022 15:21:46 +1000 Subject: [PATCH 2/2] Apply suggestions from code review --- .gitignore | 1 - .../configuring-openid-connect-in-amazon-web-services.md | 9 ++------- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 51db5860ad..30492bcbc5 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,6 @@ .DS_Store .env .vscode/settings.json -*.code-workspace .idea/ /node_modules/ npm-debug.log diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md index c37cab61dc..b5b4be4216 100644 --- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md +++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md @@ -39,8 +39,7 @@ To add the {% data variables.product.prodname_dotcom %} OIDC provider to IAM, se To configure the role and trust in IAM, see the AWS documentation for ["Assuming a Role"](https://github.com/aws-actions/configure-aws-credentials#assuming-a-role) and ["Creating a role for web identity or OpenID connect federation"](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html). -Edit the trust policy to add the `sub` field to the validation conditions. -For example: +Edit the trust policy to add the `sub` field to the validation conditions. For example: ```json{:copy} "Condition": { @@ -51,11 +50,7 @@ For example: } ``` -A more complete, practical example is shown below. - -Here `ForAllValues` is used to match on multiple condition keys and `StringLike` is used to match any ref on the specified repo. -Note that `ForAllValues` is [overly permissive](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html) and should not be used alone on an `Allow` effect. -In this example, the inclusion of `StringLike` means that an empty set in `ForAllValues` will still not pass the condition. +In the following example, `ForAllValues` is used to match on multiple condition keys, and `StringLike` is used to match any ref in the specified repository. Note that `ForAllValues` is [overly permissive](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html) and should not be used on its own in an `Allow` effect. For this example, the inclusion of `StringLike` means that an empty set in `ForAllValues` will still not pass the condition: ```json{:copy} {