Locking down GitHub Actions to specific Repo with OIDC #627
-
Hey, people! I'm having problems authenticating a GitHub Actions workflow to my AWS environment when a specific repo is specified in my AWS role's trust policy. I've had a read through https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services and I believe I've set it up correctly but it's still having problems. Github workflow
AWS Role Trust Policy
As soon as I change the AWS Role trust policy to the below code it authenticates without issue. So there's something going wrong when I'm trying to lock it down the project's repo.
Am I doing something wrong? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
Sorry for the delayed response @lukewelden-mobysoft, It does appear as if you are setting up the sub claim correctly in the trust policy. I'm curious if you can share what exactly is triggering this workflow? If you share the full workflow file we could see if some configurations to your workflow are modifying the sub claim. I'd be curious if you could test this on any other repo/org combinations. Maybe testing this out individually might reveal some mistake you might have made when configuring this for the affected repo |
Beta Was this translation helpful? Give feedback.
-
Hello! Reopening this discussion to make it searchable. |
Beta Was this translation helpful? Give feedback.
Sorry for the delayed response @lukewelden-mobysoft,
It does appear as if you are setting up the sub claim correctly in the trust policy. I'm curious if you can share what exactly is triggering this workflow? If you share the full workflow file we could see if some configurations to your workflow are modifying the sub claim.
I'd be curious if you could test this on any other repo/org combinations. Maybe testing this out individually might reveal some mistake you might have made when configuring this for the affected repo