We received an email with an IAM Security notification saying "Your role(s) that currently do not evaluate the token.actions.githubusercontent.com:sub condition key are listed in the "Affected resources" tab."
Looking at the roles, they both do evaluate the key.
Could anyone explain what is wrong with that Trust Policy of one of the flagged roles?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::XXXXXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:our-org/*"
}
}
}
]
}
We have ours configured the same way. Recieved the alert, but not for all environments. Hoping for some clarification if we need to make changes too.