configure-aws-credentials icon indicating copy to clipboard operation
configure-aws-credentials copied to clipboard

Published 20 hours ago verified publisher icon aws-actions

docs: Document GitHub Open ID Connect integration

Open br3ndonland opened this issue 4 years ago • 3 comments
trafficstars

Issue #, if available:

aws-actions/configure-aws-credentials#280 aws-actions/configure-aws-credentials#281

Description of changes:

Thank you for the OpenID Connect ("OIDC") guidance in the README. However, I was confused when I read through it recently, because:

  • There were no links to any documentation, either from AWS or GitHub
  • The recommendation was added to the README before GitHub announced OIDC support

This PR will add links to the relevant documentation from both GitHub and AWS. I think it would point people in the right direction, if they're seeing this OIDC info here for the first time. Thanks for your consideration.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

br3ndonland avatar Oct 28 '21 22:10 br3ndonland

Thanks for this PR, helped me implement OIDC! However, at first I got it badly wrong, granting all github users access to the AWS role! Specifically, the gihub docs have a little sentence stating "By default, the validation only includes the audience (aud) condition, so you must manually add a subject (sub) condition" which to me was just goobledygook, so I didn't configure an additional condition. Oops. It might be helpful to:

  • add a little phrase to "ensure you restrict access to the AWS role in IAM by specifying a condition in addition to the audience (aud) condition. Otherwise any github user can access the role"
  • add a link: Claims sent by GitHub that can be checked in conditions
  • add a link: Condition syntax and operators in AWS (took me a while to find that one)

tve avatar Nov 04 '21 15:11 tve

Great suggestions @tve, thanks! Your point about the subject condition in the assume role policy is a particularly important one. I've updated the PR accordingly.

br3ndonland avatar Nov 06 '21 19:11 br3ndonland

One note for people following along, the @v1 tag currently doesn’t include OIDC support, even though the docs say to use @v1. You’ll either need to pin to a recent commit or use @master until they make a new release.

https://github.com/aws-actions/configure-aws-credentials/issues/271#issuecomment-942829890

Update: I see that v1.6.0 was just released which includes OIDC support: https://github.com/aws-actions/configure-aws-credentials/blob/v1.6.0/CHANGELOG.md#160-2021-11-23

danielcompton avatar Nov 24 '21 21:11 danielcompton

@mergifyio update

peterwoodworth avatar Oct 05 '22 01:10 peterwoodworth

update

✅ Branch has been successfully updated

mergify[bot] avatar Oct 05 '22 01:10 mergify[bot]