AWS cannot filter for many claim keys in trust policies #306
Comments
|
Hi, "Condition": { Mike |
tve
changed the title
|
@mikeviviani yeah, except that documentation is completely wrong... If I remove the "actor" match in my policy and just leave the "aud" match it works (just is insecure). The "sub" match in that documentation isn't even valid json... |
|
I am having the same issue as well when adding a conditional for the Policy {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::000000000000:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:actor": "yotixify",
"token.actions.githubusercontent.com:sub": "repo:orgname/zz-*"
}
}
}
]
} |
UpdateAfter some more testing it looks like the {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::000000000000:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:orgname/zz-*"
},
"Null": {
"token.actions.githubusercontent.com:actor": "true"
}
}
}
]
}Is there something on the AWS side that is dropping that value? |
|
@yotixify I can't even get the My solution works without any conditions (big security hole) but as soon as I add a condition on Which version of Thanks. |
|
Im currently referencing master, I am not at my computer but i can provide a cloudformation template example that limits it by repostory name. Not ideal for scalability but works in a pinch. I plan to open a ticket with AWS on this issue in Monday related to the '''actor''' tag. |
|
Thanks for coming back to me. Interesting that you are using Do you happen to know if As far as I can tell that is a valid test value for Thanks. |
|
OK, so its case sensitive and that was the problem all along. Thanks. |
What is case-sensitive? Did you get the actor match to work? |
|
Sorry, I should have been clearer, case sensitivity on the |
|
I mixed up Doesn't work: Works: |
|
Was there further guidance on getting the |
I'm having the same problem with |
|
I've found some evidence here that custom claims aren't supported in I've seen similar when I tried to set |
|
I think this covers the supported token fields: |
|
In the example given in the Github Actions docs: Notice that |
|
|
I am using |
with AWS? Could you post an example please? |
Works for me! |
I think it isn't doing what you think it is. Try changing the owner condition to something random and it will still let you in (so you are currently very insecure). From the AWS Docs:
I think it is for testing a different type of request that has multiple sets of key/values in. The name seems really confusing. |
|
Woops, you are correct! ForAllValues behaves as you said. After testing more thoroughly, I could not find a way to make it work correctly with |
|
Google brought me here. Thanks @mungojam for finding the AWS documentation on a list of supported claims. The GitHub doc should be improved because One should always use |
Note that I seem to be having to abuse the `repositories` field a bit (is
this field badly named?) in order to get this
`repo:guardian/facia-scala-client:*` value:
```
- Action: sts:AssumeRoleWithWebIdentity
Condition:
StringLike:
token.actions.githubusercontent.com:sub: repo:guardian/facia-scala-client:*
```
...which is apparently the format required:
aws-actions/configure-aws-credentials#306 (comment)
Running the tests for this project requires read access to s3://facia-tool-store/DEV/, so we need to provide the GitHub Action with AWS credentials for a AWS role that allows that. We're using https://github.com/aws-actions/configure-aws-credentials to grant the credentials, and https://github.com/guardian/cdk to create the AWS Role (as we're adding cdk, we get half a dozen new files in the new `cdk` folder!). Specific IAM permissions required --------------------------------- Even though all the FAPI client does, in terms of S3 API calls, is call `getObject`, we need more than the `s3:GetObject` permission. We also need `s3:ListBucket` because FAPI sometimes has to request objects that don't exist ...and without `s3:ListBucket`, S3 will throw a `AccessDenied` error even tho' you're possess the `s3:GetObject permission`: https://stackoverflow.com/a/56027548/438886 Abusing the repositories field ------------------------------ Try to be specific to grant just this repo permissions Note that I seem to be having to abuse the `repositories` field a bit (is this field badly named?) in order to get this `repo:guardian/facia-scala-client:*` value: ``` - Action: sts:AssumeRoleWithWebIdentity Condition: StringLike: token.actions.githubusercontent.com:sub: repo:guardian/facia-scala-client:* ``` ...which is apparently the format required: aws-actions/configure-aws-credentials#306 (comment) Co-authored-by: Akash Askoolum <[email protected]>
Running the tests for this project requires read access to s3://facia-tool-store/DEV/, so we need to provide the GitHub Action with AWS credentials for a AWS role that allows that. We're using https://github.com/aws-actions/configure-aws-credentials to grant the credentials, and https://github.com/guardian/cdk to create the AWS Role (as we're adding cdk, we get half a dozen new files in the new `cdk` folder!). Specific IAM permissions required --------------------------------- Even though all the FAPI client does, in terms of S3 API calls, is call `getObject`, we need more than the `s3:GetObject` permission. We also need `s3:ListBucket` because FAPI sometimes has to request objects that don't exist ...and without `s3:ListBucket`, S3 will throw a `AccessDenied` error even tho' you're possess the `s3:GetObject permission`: https://stackoverflow.com/a/56027548/438886 Abusing the repositories field ------------------------------ Try to be specific to grant just this repo permissions Note that I seem to be having to abuse the `repositories` field a bit (is this field badly named?) in order to get this `repo:guardian/facia-scala-client:*` value: ``` - Action: sts:AssumeRoleWithWebIdentity Condition: StringLike: token.actions.githubusercontent.com:sub: repo:guardian/facia-scala-client:* ``` ...which is apparently the format required: aws-actions/configure-aws-credentials#306 (comment) Co-authored-by: Akash Askoolum <[email protected]>
Running the tests for this project requires read access to s3://facia-tool-store/DEV/, so we need to provide the GitHub Action with AWS credentials for a AWS role that allows that. We're using https://github.com/aws-actions/configure-aws-credentials to grant the credentials, and https://github.com/guardian/cdk to create the AWS Role (as we're adding cdk, we get half a dozen new files in the new `cdk` folder!). Specific IAM permissions required --------------------------------- Even though all the FAPI client does, in terms of S3 API calls, is call `getObject`, we need more than the `s3:GetObject` permission. We also need `s3:ListBucket` because FAPI sometimes has to request objects that don't exist ...and without `s3:ListBucket`, S3 will throw a `AccessDenied` error even tho' you're possess the `s3:GetObject permission`: https://stackoverflow.com/a/56027548/438886 Abusing the repositories field ------------------------------ Try to be specific to grant just this repo permissions Note that I seem to be having to abuse the `repositories` field a bit (is this field badly named?) in order to get this `repo:guardian/facia-scala-client:*` value: ``` - Action: sts:AssumeRoleWithWebIdentity Condition: StringLike: token.actions.githubusercontent.com:sub: repo:guardian/facia-scala-client:* ``` ...which is apparently the format required: aws-actions/configure-aws-credentials#306 (comment) Co-authored-by: Akash Askoolum <[email protected]>
peterwoodworth
added
needs-triage
|
peterwoodworth
added
the
service-limitation
|
Reopening for visibility, but more importantly to track that this issue is related to a limitation in AWS (maybe we can push this internally) |
|
Hi y'all 👋 Just wanted to let y'all know there's a workaround for this issue, but it comes with some big caveats, namely, the fact that you'll need to utilize AWS Cognito rather than STS directly, which means it would almost certainly require some changes to this project in order to get working (disclaimer: I don't actually use this Github Action, I was just pointed here by an altruistic coworker). In a nutshell, the idea is this:
Now you'll have to actually interface with AWS Cognito instead of just straight up going straight to STS. It's a quick 1-2 punch that goes like this:
Again, this would almost certainly require changes to this project, but I thought it'd be worth offering up as a potential workaround if anyone felt particularly ambitious! I tested to make sure all of this works using the AWS CLI and I can confirm that it does, albeit with a bit of additional cost to the user. |
|
As an alternative to @SwiftEngineer 's workaround, Github does have docs suggesting that for providers that only look at certain wellknown claims for authorization, that we can modify what is passed in the sub claim with some of the other custom claims. This does however seem quite complicated to get setup, and as such I've not tested it myself. |
|
Arkadaşlar siz uçmuşssunuz bilmiyorum sizi yakalayabilirmiyimde inanın doktorların yazdığı reçete gibi konuşuyorsunuz. Hiç bir kelimenizi anlayamıyorum. Bari konudan bahsederken ne işe yaradığını düzeltme veya kodu yazınca nasıldı hangi işi pratikte görebileceğini bunlarıda açıklarsanız inanın sevinirim. |
|
@JMoserCricut I tried what you offered, and it seems to be working 😄 Here's my setup-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::unfor19-gha-play-private/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:unfor19/gha-play-private:actor:unfor19"
}
}
}
]
}
Created input file for PUT request body - {
"use_default": false,
"include_claim_keys": ["repo", "actor"]
}Used GitHub REST API to PUT custom subject OIDC claims gh api -X PUT repos/unfor19/gha-play-private/actions/oidc/customization/sub --input .input.jsonUsed GitHub REST API to get GET custom subject OIDC claims (to verify) gh api -X GET repos/unfor19/gha-play-private/actions/oidc/customization/subResponse: {
"use_default": false,
"include_claim_keys": [
"repo",
"actor"
]
}So far, I'm all set; now it's time to set the workflow-
name: AWS example workflow
on:
workflow_dispatch: {}
env:
BUCKET_NAME: unfor19-gha-play-private
AWS_REGION: eu-west-1
ROLE_TO_ASSUME_ARN: arn:aws:iam::123456789012:role/unfor19-gha-play-private-role
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
S3PackageUpload:
runs-on: ubuntu-latest
steps:
- name: Git clone the repository
uses: actions/checkout@v3
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ env.ROLE_TO_ASSUME_ARN }}
role-session-name: samplerolesession
aws-region: ${{ env.AWS_REGION }}
# Upload a file to AWS s3
- name: Copy index.html to s3
run: |
date > index.html
aws s3 cp ./index.html s3://${{ env.BUCKET_NAME }}/The above setup works; @lukas-hetzenecker, thanks for the tip! |
|
@unfor19 I've noticed that your include_claim_keys are: So I think the solution would be to either remove for workflows running from the main branch |
|
@lukas-hetzenecker - I think that it means I'm just sending "extra info" from GitHub to AWS; so I'm sending the extra |
|
All of the extra information is always part of the JSON Web Token, it is just the AWS does not support custom claims, and therefore cannot use any of that extra attributes (actor, etc.). AWS only allows you to use the With |
|
@lukas-hetzenecker You are right! I've just tested the following-
{
"use_default": false,
"include_claim_keys": ["repo", "actor"]
}And AWS Trust Relationship - {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:unfor19/gha-play-private:actor:unfor19"
}
}
}
]
}Thanks for the tip, updated my solution |
|
This snippet might be useful for anyone getting this working. It will print out all the info in the token. Just use it in a private repo and not in a live setting though |
|
We now have a section in our docs with what's now the most up-to-date information on the topic. Being able to customize the |
peterwoodworth
changed the title
I'm trying to match the GITHUB_ACTOR in my IAM trust relationship policy and cannot make it work. Is this supposed to work? The trust policy I have is:
The error I get is:
In my workflow I print
${{ github.actor }}and it matches what I have in the trust policy. Is there a way to get a log of the actual JWT token that IAM receives?The text was updated successfully, but these errors were encountered: