By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using a one role for OpenID Connect and GitHub actions, but different permissions

0

Is it possible to have a single IAM role for OpenID Connect, which allows multiple repos, or even the entire GitHub org to assume it, yet have different permissions by repo?

For example, I have a trust policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::1234567890:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "ForAnyValue:StringEquals": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:org/foo:pull_request",
                        "repo:org/bar:pull_request"
                    ]
                }
            }
        }
    ]
}

And I'd like to grant the repo org/foo one set of permissions and org/bar another.

The idea is to have a single "well-known" role, which we can also hard code, so that we wouldn't have to create separate roles for each repo.

See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

Topics
Security, Identity, & Compliance
Tags
IAM Policies
Language
English
profile picture
m0ltar
asked 3 months ago140 views
1 Answer
1

You can use conditions in IAM policies to differentiate permissions based on the context of the AssumeRoleWithWebIdentity request. The policy can inspect the token.actions.githubusercontent.com:sub claim from the GitHub Actions token to apply different permissions based on the repository making the request. You can attach these policies to your single IAM role.

However, remember that this approach doesn't grant entirely separate sets of permissions for each repo. Instead, it applies conditions to the permissions based on which repo is making the request. Below is an example of how you can structure your IAM policies:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3ActionsForRepoFoo",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
                // ... other S3 actions
            ],
            "Resource": "arn:aws:s3:::example-bucket-for-foo/*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/repo": "org/foo"
                }
            }
        },
        {
            "Sid": "AllowEC2ActionsForRepoBar",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
                // ... other EC2 actions
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/repo": "org/bar"
                }
            }
        }
    ]
}

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!

profile picture
EXPERT
Mina Gobrial - OptimeCloud
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content