aws-secrets-manager-action icon indicating copy to clipboard operation
aws-secrets-manager-action copied to clipboard

Published 20 hours ago verified publisher icon abhilash1in

A concern for secrets security

Open barywhyte opened this issue 2 years ago • 2 comments

This is not an issue. Please pardon me as I do not know where to put this

So I am implementing Github OpenID connect to retrieve secrets from AWS secretsmanager instead AWS user that uses AWS credentials. I do not want to store any secrets using Github secret. It also look like OpenID Connect is Git action's preferred method of authentication into AWS. So I went for it with terraform aws_iam_openid_connect_provider resource as seen https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider

Here is my workflow after deploying the AWS role

jobs:
  trigger-build:
    runs-on: ubuntu-latest

    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: us-east-1
          role-to-assume: arn:aws:iam::{aws_account_id}:role/AWSRole
          audience: sts.amazonaws.com

      - name: Read secrets from AWS Secrets Manager into environment variables
        uses: bitovi/[email protected]
        with:
          secrets: |
            my_secret
          parse-json: true
      - name: Trigger Pipeline
        env:
          CIRCLE_BRANCH: ${{ github.head_ref }}
          TOKEN: ${my_secret}

My concern/question (and please forgive my naivety) is that: is it possible for an attacker to copy this entire code and use it in a different git action jobs to access my secrets `my_secret'? I don't seems to find additional protection for this chunk of code

barywhyte avatar Sep 02 '22 13:09 barywhyte

First of all, you might need to fix your text's format. The question is hidden in code as you did enter ``` with indentation.

Secondly, it has to do with the Role's Assume Policy. The role can have an Assume Policy that prevents access from other repositories. You can see an example below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GithubRepositoryAccess",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::[...]:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
                    "token.actions.githubusercontent.com:sub": "repo:<USERNAME>/<REPO>:*"
                }
            }
        }
    ]
}

This one allows access to assume the AWS Role only from <USERNAME>/<REPO> repository workflows.

Hope I helped!

operatorequals avatar Sep 06 '22 07:09 operatorequals

@operatorequals That helped! Thank you! And thanks too for the correction about text alignment.

barywhyte avatar Sep 06 '22 07:09 barywhyte