Remove aud from example and ForAllValues

I've tested a wide variety of cases and compared to Cloudtrail Events. only `sub` is currently sent to and compared in AWS open-id connector for GitHub. `aud` will *always* be sts.amazonaws.com So, the IAM trust relationship policy (GitHub OIDC -> AWS) for the role-to-be-assumed should perform conditional checks on `sub` which contains this information: `"token.actions.githubusercontent.com:sub": "repo:organization-name/repository-name:ref:refs/heads/branch-name"` If the conditional StringLike is used, wildcard can be used for `branch-name` There might be other things to touch up on in this README.md to reflect this information
2026-01-01 18:05:46 -05:00 · 2021-11-19 18:08:23 +02:00
parent 4a3ee1a87f
commit b092ab95b9
1 changed files with 1 additions and 2 deletions
--- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
+++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
@@ -42,8 +42,7 @@ By default, the validation only includes the audience (`aud`) condition, so you

 ```json{:copy}
 "Condition": {
-  "ForAllValues:StringEquals": {
-    "token.actions.githubusercontent.com:aud": "https://github.com/octo-org",
+  "StringEquals": {
    "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
  }
 }