Clarification in trust-relationship policy example #12137
Conversation
IAM will perform an OR operation, not AND. use: ForAllValues to properly use AND. reference: [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html)
|
Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines. |
github-actions
bot
added
the
triage
Automatically generated comment ℹ️This comment is automatically generated and will be overwritten every time changes are committed to this branch. The table contains an overview of files in the Content directory changesYou may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.
|
conradt-paf
changed the title
conradt-paf
changed the title
ramyaparimi
added
content
|
@conradt-paf |
I've tested a wide variety of cases and compared to Cloudtrail Events. only `sub` is currently sent to and compared in AWS open-id connector for GitHub. `aud` will *always* be sts.amazonaws.com So, the IAM trust relationship policy (GitHub OIDC -> AWS) for the role-to-be-assumed should perform conditional checks on `sub` which contains this information: `"token.actions.githubusercontent.com:sub": "repo:organization-name/repository-name:ref:refs/heads/branch-name"` If the conditional StringLike is used, wildcard can be used for `branch-name` There might be other things to touch up on in this README.md to reflect this information
conradt-paf
changed the title
conradt-paf
changed the title
Using |
|
Tested and working, that was the final commit. You may push to this fork/branch if possible |
Thank you, I added even more clarification after rigorous testing and trying to find out how this works |
ramyaparimi
added
the
actions
|
Status update: I've asked for tech review of these proposed changes 👍 |
|
Update: just doing some final checks |
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
|
Status update: confirming tech review |
|
Thanks very much for contributing! Your pull request has been merged 🎉 You should see your changes appear on the site in approximately 24 hours. If you're looking for your next contribution, check out our help wanted issues ⚡ |
I've tested a wide variety of cases and compared to Cloudtrail Events.
only
subis currently sent to and compared in AWS open-id connector for GitHub.audwill always be sts.amazonaws.com, making theaudstring used in the example obsolete (and possibly misleading)So, the IAM trust relationship policy (GitHub OIDC -> AWS) for the role-to-be-assumed should perform conditional checks on
subwhich (currently only) contain this information:"token.actions.githubusercontent.com:sub": "repo:organization-name/repository-name:ref:refs/heads/branch-name"If the conditional StringLike is used, wildcard can be used for
branch-nameThere might be other things to touch up on in this README.md to reflect this information
Why:
fix some confusion
What's being changed:
IAM policy example will correctly check for
audandsubclaim that AWS openid-connector uses.subclaim inherently contains organization claim already.We also use
ForAllValuesto correctly perform an AND operation (instead of OR)Check off the following:
Writer impact (This section is for GitHub staff members only):