By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Security notification: token.actions.githubusercontent.com:sub condition key evaluation

1

We received an email with an IAM Security notification saying "Your role(s) that currently do not evaluate the token.actions.githubusercontent.com:sub condition key are listed in the "Affected resources" tab." Looking at the roles, they both do evaluate the key. Could anyone explain what is wrong with that Trust Policy of one of the flagged roles?

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Federated": "arn:aws:iam::XXXXXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com"
			},
			"Action": "sts:AssumeRoleWithWebIdentity",
			"Condition": {
				"StringEquals": {
					"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
				},
				"StringLike": {
					"token.actions.githubusercontent.com:sub": "repo:our-org/*"
				}
			}
		}
	]
}
  • haglergl
    6 months ago

    We have ours configured the same way. Recieved the alert, but not for all environments. Hoping for some clarification if we need to make changes too.

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity CenterIAM Policies
Language
English
Vladimir
asked 8 months ago89 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content