From b092ab95b99b3ff7147d23c5d78dfa7c856f7ebf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Conrad=20T=C3=B6tterman?= Date: Fri, 19 Nov 2021 18:08:23 +0200 Subject: [PATCH] Remove aud from example and ForAllValues I've tested a wide variety of cases and compared to Cloudtrail Events. only `sub` is currently sent to and compared in AWS open-id connector for GitHub. `aud` will *always* be sts.amazonaws.com So, the IAM trust relationship policy (GitHub OIDC -> AWS) for the role-to-be-assumed should perform conditional checks on `sub` which contains this information: `"token.actions.githubusercontent.com:sub": "repo:organization-name/repository-name:ref:refs/heads/branch-name"` If the conditional StringLike is used, wildcard can be used for `branch-name` There might be other things to touch up on in this README.md to reflect this information --- .../configuring-openid-connect-in-amazon-web-services.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md index df5746478c..6f991207a3 100644 --- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md +++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md @@ -42,8 +42,7 @@ By default, the validation only includes the audience (`aud`) condition, so you ```json{:copy} "Condition": { - "ForAllValues:StringEquals": { - "token.actions.githubusercontent.com:aud": "https://github.com/octo-org", + "StringEquals": { "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch" } }