Considerations about Potential Privilege Escalation

[codethatrocks]

Hi. Thank you for sharing your solution 😀. I just came across your implementation and had a look at your diagram. I’m asking myself how the lambda makes sure the requested credentials are delivered to an action belonging to your repos/org? What’s preventing a malicious GitHub action with any valid GitHub repo and any valid user session token from generating a key pair calling the api and getting your aws creds ? Any thoughts on this ? Kind regards Rocco

[mykter]

I think the main constraint is the permitted org config?

[aidansteele]

Hi @codethatrocks, apologies for not responding significantly sooner. I must have misconfigured my GitHub notification settings as I don't recall getting an email about this.

As @mykter said, the main constraint is the permitted org config. Technically any action (or just a person using curl on their laptop) can make a request to the Lambda API if they know the URL. They will even receive a valid response if the request payload specifies the right repo, run ID, job name and step name (all public info). But that response will be encrypted using a public key corresponding to a private key that they don't have - so it's not a huge problem.

Does that answer your question?