configure-aws-credentials
configure-aws-credentials copied to clipboard
aws-actions
GitHub OIDC trust condition
I would like to create a Trust relationship for an AWS Role Federated from GitHub via OIDC that restrict access to request token based on the 2 conditions below. a pull request to master in this repo a push to master in this repo
I currently have the below condition working but struggling to restrict the permissions to the Role in AWS to only a pull request to master (and not to any branch)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"ForAnyValue:StringLike": {
"token.actions.githubusercontent.com:sub": [
"repo:opeville/identity-opeville:ref:refs/heads/master",
"repo:opeville/identity-opeville:pull_request"
]
}
}
}
]
}
I might be way off with this suggestion, but would it be worth doing this on the GH actions side? Something like
on:
pull_request_target:
types:
- opened
branches:
- 'master'
push:
branches:
- 'master'
Reference: GH docs
Closing in favor of https://github.com/aws-actions/configure-aws-credentials/issues/390, thanks for the issue submission!
⚠️Comment Visibility Warning⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Sorry, there's another related issue I meant to link to. https://github.com/aws-actions/configure-aws-credentials/issues/454
The last issue I linked isn't a direct duplicate since that feature request won't work for OIDC