IAM roles should not allow untrusted GitHub Actions to assume them Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter .
When a GitHub Action needs to assume an IAM role, it is recommended to use identity federation to avoid using hardcoded, long-lived credentials.
However, in some cases the trust policy of the role may be misconfigured and allow any untrusted GitHub Action to assume the IAM role.
If the role trust policy does not have a properly configured condition, any untrusted GitHub Action from any repository (including outside your organization) can assume the role and retrieve credentials to your AWS account.
Ensure that the IAM role has a condition on the token.actions.githubusercontent.com:sub condition key, for instance:
{
"Version" : "2012-10-17" ,
"Statement" : [
{
"Effect" : "Allow" ,
"Principal" : {
"Federated" : "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com"
},
"Action" : "sts:AssumeRoleWithWebIdentity" ,
"Condition" : {
"StringEquals" : {
"token.actions.githubusercontent.com:aud" : "sts.amazonaws.com"
},
"StringLike" : {
"token.actions.githubusercontent.com:sub" : "repo:your-organization/your-repository:*"
}
}
}
]
}
Copy
See “Configuring the role trust policy ” and “Example subject claims ” in the GitHub documentation for more examples.
In the AWS Console, navigate to the IAM role you would like to change. On the IAM role page, click the Trust relationships tab. Click Edit trust policy . Make changes to the trust policy, as shown in the previous section. Click Update policy . Using update-assume-role-policy, update the role trust policy to remediate the risk.
aws iam update-assume-role-policy
--role-name Test-Role
--policy-document file://<NEW_ROLE_POLICY>.json
