By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Access Analyzer - alert on roles assumed by federated github actions

0

I would like IAM Access Analyzer to alert me when a role is permitted to be assumed by GitHub. Backround: I'm using GitHub actions, which use OIDC to assume roles in my AWS account. IAM Access Analyzer does allow me to define archive rules using the OIDC principal, which is part of the solution. But I also want to check that the roles are limiting based on conditions, such as the repo name. At the moment, it appears only Facebook/Google/Amazon/Cognito is supported. This is what I'd like to check for:

        "Effect": "Allow",
        "Principal": {
            "Federated": "arn:aws:iam::xxxx:oidc-provider/token.actions.githubusercontent.com"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringLike": {
                "token.actions.githubusercontent.com:sub": "repo:mygithuborg/mygithubrepo:*"
            }
        }
Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM Access Analyzer
Language
English
AWS-User-0998842
asked 2 years ago468 views
1 Answer
0

Hi,

Thank you for contacting us! I understand that you'd like IAM Access Analyzer to support archiving based on federation with GitHub, and for it to support filtering with condition keys for repositories and sub key. Please correct me if I have misunderstood your concern.

While the service does not yet support those condition key filters [1], we have an option to create a rule with the 'principal.Federated' criterion (it's called 'Federated User' on the console) to filter by the IdP ARN (which is arn:aws:iam::xxxx:oidc-provider/token.actions.githubusercontent.com in your case). From your correspondence I understand that you are aware of this option.

I thank you for your feedback on the service and I shall create a feature request to support your use case. While we do not have an ETA for now, please feel free to keep track of such feature releases on our What's New [2] page for when they arrive.

Let us know if you run into any further questions or concerns!

AWS
SUPPORT ENGINEER
Sumukhi_P
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content