Remove OIDC IAM role secret #240
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @@ -11,7 +11,6 @@ As a part of your GitHub actions workflows, you may need access to internal CMS | |||
| This procedure assumes that you have already taken the steps documented in the main README. You have: | |||
|
|
|||
| - Instantiated the requisite infrastructure in AWS ECR and ECS | |||
| - Instantiated the resources for the GitHub OIDC provider and stored the OIDC role ARN in a GitHub secret called `OIDC_IAM_ROLE_ARN` | |||
There was a problem hiding this comment.
Is the first part of this sentence still true:?
Instantiated the resources for the GitHub OIDC provider
There was a problem hiding this comment.
Sure is, good catch!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change removes references to an OIDC IAM role secret and uses the role directly instead. When we wrote this module, we thought it was a security best practice to obfuscate the AWS account number and role name for OIDC. However, the ARN is just an identifier for the IAM role that a GitHub Actions workflow will assume. Unlike access keys, the role ARN doesn't grant access to AWS resources. Permissions on the role prevent a workflow in another repo from assuming the role even if they know the ARN
It's now our standard practice to include the ARN in workflows to avoid the maintenance of an additional secret. This change updates workflow references as well as our recommendations in the OIDC templates