Skip to content

AWS cannot filter for many claim keys in trust policies #306

New issue
New issue
Open
Open
AWS cannot filter for many claim keys in trust policies#306
Labels
p2service-limitationThis is not currently supported by Github or AWS
@tve

Description

@tve
tve
opened on Nov 4, 2021

I'm trying to match the GITHUB_ACTOR in my IAM trust relationship policy and cannot make it work. Is this supposed to work? The trust policy I have is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::00000000:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:actor": "tve",
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
}

The error I get is:

Run aws-actions/configure-aws-credentials@master
Error: Not authorized to perform sts:AssumeRoleWithWebIdentity

In my workflow I print ${{ github.actor }} and it matches what I have in the trust policy. Is there a way to get a log of the actual JWT token that IAM receives?

Activity

mikeviviani

mikeviviani commented on Nov 4, 2021

@mikeviviani
mikeviviani
on Nov 4, 2021 · edited by mikeviviani

Hi,
Looking at your IAM role, I do think your aud is not the correct one.
Based on the documentation ### (https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) aud contains your GH Org

"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "https://github.com/octo-org",
"token.actions.githubusercontent.com:sub": "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"

Mike

tve
changed the title [-]Cannot match actor tagwhen using OIDC[/-] [+]Cannot match actor tag when using OIDC[/+] on Nov 4, 2021
tve

tve commented on Nov 4, 2021

@tve
tve
on Nov 4, 2021 · edited by tve
Author

@mikeviviani yeah, except that documentation is completely wrong... If I remove the "actor" match in my policy and just leave the "aud" match it works (just is insecure). The "sub" match in that documentation isn't even valid json...
(I don't remember where I got the aud match for sts.amazonaws.com from Edit: the "sts.amazonaws.com" aud match comes from #280 (comment))

yotixify

yotixify commented on Nov 17, 2021

@yotixify
yotixify
on Nov 17, 2021 · edited by yotixify

I am having the same issue as well when adding a conditional for the actor tag. When I remove the actor tag I have no issues and the sub conditional works fine, when the actor tag is added into the conditional I get the following error:

Run aws-actions/configure-aws-credentials@master
Error: Not authorized to perform sts:AssumeRoleWithWebIdentity

Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::000000000000:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "token.actions.githubusercontent.com:actor": "yotixify",
          "token.actions.githubusercontent.com:sub": "repo:orgname/zz-*"
        }
      }
    }
  ]
}
yotixify

yotixify commented on Nov 17, 2021

@yotixify
yotixify
on Nov 17, 2021

Update

After some more testing it looks like the token.actions.githubusercontent.com:actor key is either missing or null in the policy condition. I dumped a jwt token from the OIDC connector to verify that the actor tag was in the jwt from the provider so it is getting passed into aws. However when I change the conditional to a Null action with a value of true instead of a StringLike the condition passes and github actions is able to assume the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::000000000000:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:orgname/zz-*"
        },
        "Null": {
          "token.actions.githubusercontent.com:actor": "true"
        }
      }
    }
  ]
}

Is there something on the AWS side that is dropping that value?

CallumHibbert

CallumHibbert commented on Nov 19, 2021

@CallumHibbert
CallumHibbert
on Nov 19, 2021

@yotixify I can't even get the token.actions.githubusercontent.com:sub condition to work.

My solution works without any conditions (big security hole) but as soon as I add a condition on token.actions.githubusercontent.com:sub it fails (I'm very sure I have the test value correct).

Which version of aws-actions/configure-aws-credentials are you referencing? I'm referencing @master, do you have something else?

Thanks.

yotixify

yotixify commented on Nov 19, 2021

@yotixify
yotixify
on Nov 19, 2021

Im currently referencing master, I am not at my computer but i can provide a cloudformation template example that limits it by repostory name. Not ideal for scalability but works in a pinch. I plan to open a ticket with AWS on this issue in Monday related to the '''actor''' tag.

CallumHibbert

CallumHibbert commented on Nov 20, 2021

@CallumHibbert
CallumHibbert
on Nov 20, 2021

Thanks for coming back to me. Interesting that you are using @master too.

Do you happen to know if repo:my-org-name-here/* is valid to restrict by Org as a proof of concept (agree that tigher restrictions might make sense in a production implementation)?

As far as I can tell that is a valid test value for token.actions.githubusercontent.com:sub but it won't work for me.

Thanks.

CallumHibbert

CallumHibbert commented on Nov 20, 2021

@CallumHibbert
CallumHibbert
on Nov 20, 2021

OK, so its case sensitive and that was the problem all along. Thanks.

tve

tve commented on Nov 21, 2021

@tve
tve
on Nov 21, 2021
Author

so its case sensitive and that was the problem all along

What is case-sensitive? Did you get the actor match to work?

CallumHibbert

CallumHibbert commented on Nov 21, 2021

@CallumHibbert
CallumHibbert
on Nov 21, 2021

Sorry, I should have been clearer, case sensitivity on the token.actions.githubusercontent.com:sub match in the AWS conditions that I was having trouble with (bringing me to this thread originally).

martijngastkemper

martijngastkemper commented on Nov 26, 2021

@martijngastkemper
martijngastkemper
on Nov 26, 2021

I mixed up StringEquals and StringLike

Doesn't work:

"Condition": {
  "StringEquals": {
    "token.actions.githubusercontent.com:sub": "repo:ORG/REPO:*"
  }
}

Works:

"Condition": {
  "StringLike": {
    "token.actions.githubusercontent.com:sub": "repo:ORG/REPO:*"
  }
}
rsclarke-vgw

rsclarke-vgw commented on Dec 1, 2021

@rsclarke-vgw
rsclarke-vgw
on Dec 1, 2021
Contributor

Was there further guidance on getting the actor conditional claim to work? I'm equally trying with workflow to no avail.

mungojam

mungojam commented on Feb 10, 2022

@mungojam
mungojam
on Feb 10, 2022

Was there further guidance on getting the actor conditional claim to work? I'm equally trying with workflow to no avail.

I'm having the same problem with token.actions.githubusercontent.com:repository_owner. To me it seems that it's a bug in AWS itself. I can see the property in the token itself when I decode it, but IAM doesn't appear to think it exists. You can verify that by changing the condition to StringEqualsIfExists which then passes because IAM doesn't see it for some reason.

mungojam
mentioned this on Feb 10, 2022

22 remaining items

peterwoodworth
reopened this on Oct 8, 2022
SwiftEngineer

SwiftEngineer commented on Dec 17, 2022

@SwiftEngineer
SwiftEngineer
on Dec 17, 2022 · edited by SwiftEngineer

Hi y'all 👋 Just wanted to let y'all know there's a workaround for this issue, but it comes with some big caveats, namely, the fact that you'll need to utilize AWS Cognito rather than STS directly, which means it would almost certainly require some changes to this project in order to get working (disclaimer: I don't actually use this Github Action, I was just pointed here by an altruistic coworker).

In a nutshell, the idea is this:

  1. Create a Cognito Identity Pool and connect it to the AWS IAM Open ID Connect Provider you are using now (i.e. arn:aws:iam::00000000:oidc-provider/token.actions.githubusercontent.com)
  2. Create a role mapping rule that checks whatever claim you would like to verify and assigns the role you'd like based on that value
  3. Modify the trust policy of the role you want to assume so that it can be assumed via role mapping, or better yet, create a whole new one so you don't break your existing stuff
  4. Congrats. You now have a Cognito Identity Pool that you can fetch temporary credentials from that checks the value of custom claims before allowing users to assume a role 🎉

Now you'll have to actually interface with AWS Cognito instead of just straight up going straight to STS. It's a quick 1-2 punch that goes like this:

  1. Use your AWS account ID, the ID of the Cognito Identity Pool, and the OIDC token from Github Actions to get an ID
  2. Use the ID you got from the previous step, the ID of the Cognito Identity Pool, and the same OIDC token from Github Actions you used in the previous step to get credentials for that ID

Again, this would almost certainly require changes to this project, but I thought it'd be worth offering up as a potential workaround if anyone felt particularly ambitious! I tested to make sure all of this works using the AWS CLI and I can confirm that it does, albeit with a bit of additional cost to the user.

JMoserCricut

JMoserCricut commented on Jan 18, 2023

@JMoserCricut
JMoserCricut
on Jan 18, 2023

As an alternative to @SwiftEngineer 's workaround, Github does have docs suggesting that for providers that only look at certain wellknown claims for authorization, that we can modify what is passed in the sub claim with some of the other custom claims. This does however seem quite complicated to get setup, and as such I've not tested it myself.

Onderkuru

Onderkuru commented on Jan 21, 2023

@Onderkuru
Onderkuru
on Jan 21, 2023

Arkadaşlar siz uçmuşssunuz bilmiyorum sizi yakalayabilirmiyimde inanın doktorların yazdığı reçete gibi konuşuyorsunuz. Hiç bir kelimenizi anlayamıyorum. Bari konudan bahsederken ne işe yaradığını düzeltme veya kodu yazınca nasıldı hangi işi pratikte görebileceğini bunlarıda açıklarsanız inanın sevinirim.

unfor19

unfor19 commented on May 12, 2023

@unfor19
unfor19
on May 12, 2023 · edited by unfor19

@JMoserCricut I tried what you offered, and it seems to be working 😄

Here's my setup-

  1. Created AWS S3 Bucket - unfor19-gha-play-private
  2. Created AWS IAM OIDC Provider
    • Provider URL: token.actions.githubusercontent.com
    • Provider aud: sts.amazonaws.com
  3. Created IAM Policy - unfor19-gha-play-private-policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::unfor19-gha-play-private/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}
  1. Created IAM Role (unfor19-gha-play-private-role) with the following trust relationship and assigned the above IAM Policy to it
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:unfor19/gha-play-private:actor:unfor19"
                }
            }
        }
    ]
}
  1. Updated custom subject OIDC claims with GitHub CLI

Created input file for PUT request body -.input.json

{
    "use_default": false,
    "include_claim_keys": ["repo", "actor"]
}

Used GitHub REST API to PUT custom subject OIDC claims

gh api -X PUT repos/unfor19/gha-play-private/actions/oidc/customization/sub --input .input.json

Used GitHub REST API to get GET custom subject OIDC claims (to verify)

gh api -X GET repos/unfor19/gha-play-private/actions/oidc/customization/sub

Response:

{
  "use_default": false,
  "include_claim_keys": [
    "repo",
    "actor"
  ]
}

So far, I'm all set; now it's time to set the workflow-

.github/workflows/oidc.yml

name: AWS example workflow
on:
    workflow_dispatch: {}
env:
  BUCKET_NAME: unfor19-gha-play-private
  AWS_REGION: eu-west-1
  ROLE_TO_ASSUME_ARN: arn:aws:iam::123456789012:role/unfor19-gha-play-private-role

permissions:
  id-token: write # This is required for requesting the JWT
  contents: read # This is required for actions/checkout
jobs:
  S3PackageUpload:
    runs-on: ubuntu-latest
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v3
      - name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: ${{ env.ROLE_TO_ASSUME_ARN }}
          role-session-name: samplerolesession
          aws-region: ${{ env.AWS_REGION }}
      # Upload a file to AWS s3
      - name: Copy index.html to s3
        run: |
          date > index.html
          aws s3 cp ./index.html s3://${{ env.BUCKET_NAME }}/

The above setup works; @lukas-hetzenecker, thanks for the tip!

lukas-hetzenecker

lukas-hetzenecker commented on May 12, 2023

@lukas-hetzenecker
lukas-hetzenecker
on May 12, 2023

@unfor19 I've noticed that your include_claim_keys are: "include_claim_keys": ["repo", "context", "actor"]
But in your "token.actions.githubusercontent.com:sub" you are only specifying repo and actor, you're missing the context part here.

So I think the solution would be to either remove context from include_claim_keys, or change your sub comparison to include the context, like (untested):

  "StringLike": {
      "token.actions.githubusercontent.com:sub": "repo:unfor19/gha-play-private:ref:refs/heads/main:actor:unfor19"
  }

for workflows running from the main branch

unfor19

unfor19 commented on May 12, 2023

@unfor19
unfor19
on May 12, 2023 · edited by unfor19

@lukas-hetzenecker - I think that it means I'm just sending "extra info" from GitHub to AWS; so I'm sending the extra context field, though, in AWS Trust Relationship, I'm not filtering by context so it's like "any context is ok", and I'm filtering requests only by repo and actor, so I think it's ok

lukas-hetzenecker

lukas-hetzenecker commented on May 12, 2023

@lukas-hetzenecker
lukas-hetzenecker
on May 12, 2023

All of the extra information is always part of the JSON Web Token, it is just the AWS does not support custom claims, and therefore cannot use any of that extra attributes (actor, etc.). AWS only allows you to use the sub field in your trust relationship for the role.

With include_claim_keys you then configure what your sub field looks like. This is why "token.actions.githubusercontent.com:sub" is expected to look like "repo:<repo>:<context>:actor:<actor>" with your configuration. This is also why putting a wildcard ("*") in the place where context is fixes the issue.

unfor19

unfor19 commented on May 12, 2023

@unfor19
unfor19
on May 12, 2023 · edited by unfor19

@lukas-hetzenecker You are right! I've just tested the following-

.input.json

{
    "use_default": false,
    "include_claim_keys": ["repo", "actor"]
}

And AWS Trust Relationship - repo:unfor19/gha-play-private:actor:unfor19

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:unfor19/gha-play-private:actor:unfor19"
                }
            }
        }
    ]
}

Thanks for the tip, updated my solution

mungojam

mungojam commented on May 14, 2023

@mungojam
mungojam
on May 14, 2023 · edited by mungojam

This snippet might be useful for anyone getting this working. It will print out all the info in the token. Just use it in a private repo and not in a live setting though

    steps:     
      - uses: actions/github-script@v6
        with:
          script: |
            const token = await core.getIDToken("hello");
            const [, payloadB64] = token.split('.');
            const payloadJson = atob(payloadB64);
            const payload = JSON.parse(payloadJson);
            console.log(`issuer is ${payload.iss}`);
            console.log(payload);
``
peterwoodworth

peterwoodworth commented on Aug 24, 2023

@peterwoodworth
peterwoodworth
on Aug 24, 2023
Contributor

We now have a section in our docs with what's now the most up-to-date information on the topic. Being able to customize the sub claim key should be able to help with most customization needs

peterwoodworth
changed the title [-]Cannot match actor tag when using OIDC[/-] [+]AWS cannot filter for many claim keys in trust policies[/+] on Aug 24, 2023
peterwoodworth
mentioned this on Nov 17, 2023
tim-finnigan
added
p2
on Jul 31, 2024
javierlga

javierlga commented on Apr 9, 2025

@javierlga
javierlga
on Apr 9, 2025 · edited by javierlga

For those who are having problems with this, you have to customize the sub claim template, in my case I wanted to verify the actor and repository, so first customize the claims in the repository:

gh api \
  --method PUT \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  /repos/owner/repository_name/actions/oidc/customization/sub \
   -F "use_default=false" -f "include_claim_keys[]=actor" -f "include_claim_keys[]=repository"

Verify the claims are applied:

{
  "use_default": false,
  "include_claim_keys": [
    "actor",
    "repository"
  ]
}

IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GithubOidcAuth",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::XXX:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
                    "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com"
                },
                "ForAnyValue:StringEquals": {
                    "token.actions.githubusercontent.com:sub": [
                        "actor:github_username1:repo:owner/repository_name",
                        "actor:github_username2:repo:owner/repository_name"
                    ]
                }
            }
        }
    ]
}

After triggering the workflow:

Assuming role with OIDC
Authenticated as assumedRoleId XXX:GitHubActions

If you want to customize the sub claim template with other claim keys be sure to run the actions-oidc-debugger first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    p2service-limitationThis is not currently supported by Github or AWS

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @tve@martijngastkemper@CallumHibbert@wzyboy@ianling

        Issue actions
          AWS cannot filter for many claim keys in trust policies · Issue #306 · aws-actions/configure-aws-credentials