From c5089f712e76cb4437e5393f5581c2a268d21101 Mon Sep 17 00:00:00 2001 From: Ari Pollak Date: Tue, 2 Nov 2021 17:27:55 -0400 Subject: [PATCH 1/2] Tweak AWS OIDC instructions * Only contents: read is necessary * Remove :aud filter because it's set to "sts.amazonaws.com" when using aws-actions/configure-aws-credentials --- .../configuring-openid-connect-in-amazon-web-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md index a51d7e08b706..7a425f2d908a 100644 --- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md +++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md @@ -44,7 +44,7 @@ By default, the validation only includes the audience (`aud`) condition, so you "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "https://github.com/octo-org", - "token.actions.githubusercontent.com:sub": "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch" + "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch" ``` ## Updating your {% data variables.product.prodname_actions %} workflow @@ -84,7 +84,7 @@ env: # permission can be added at job level or workflow level permissions: id-token: write - contents: write # This is required for actions/checkout@v1 + contents: read # This is required for actions/checkout@v1 jobs: S3PackageUpload: runs-on: ubuntu-latest From f7fccb8f430f6d792c45d790969a2d205de1780d Mon Sep 17 00:00:00 2001 From: Ari Pollak Date: Tue, 2 Nov 2021 17:37:43 -0400 Subject: [PATCH 2/2] Update to be valid JSON, and actually remove :aud --- .../configuring-openid-connect-in-amazon-web-services.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md index 7a425f2d908a..8432733b7cc6 100644 --- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md +++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md @@ -38,13 +38,14 @@ To add the {% data variables.product.prodname_dotcom %} OIDC provider to IAM, se To configure the role and trust in IAM, see the AWS documentation for ["Assuming a Role"](https://github.com/aws-actions/configure-aws-credentials#assuming-a-role) and ["Creating a role for web identity or OpenID connect federation"](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html). -By default, the validation only includes the audience (`aud`) condition, so you must manually add a subject (`sub`) condition. Edit the trust relationship to add the `sub` field to the validation conditions. For example: +Edit the trust relationship to add the `sub` field to the validation conditions. For example: ```yaml{:copy} "Condition": { "StringEquals": { - "token.actions.githubusercontent.com:aud": "https://github.com/octo-org", "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch" + } +} ``` ## Updating your {% data variables.product.prodname_actions %} workflow