Where should OIDC role ARN be stored?

[niyatim23]

Hi,

I'm one of the maintainers for the AWS KVS SDK repositories on GitHub. We use configure-aws-credentials like this. We fetch the role ARN from GitHub secrets, however, this prevents us from running the CI on contributions from forked branches as GitHub secrets are not accessible from forked branches. Do we need to store the ARN in secrets or can we directly add it to the CI script? Will it be a security threat to have an ARN publicly available as it would also provide access to the region and account number?

[peterwoodworth]

Hey @niyatim23,

I'm not a security expert - so please contact the right internal teams for the best possible guidance here.

For my relatively uninformed answer compared to what you might get from dedicated internal teams (please take this with a grain of salt) - in theory the role arn can be public with no security concerns. With a secure trust policy on the OIDC role you should be completely safe from any actors being able to somehow obtain a valid token.

[kellertk]

Since you're an internal Amazon employee we'd recommend you reach out to the standard internal teams to review your security posture.

However, in general, ARNs aren't considered private information: they are about as secret as your IP address, and if your security posture relies on keeping an ARN secret, you should seriously reevaluate your IAM policies. In fact, this repo already hardcodes an ARN in one of our workflow files. That said, the popular git-secrets package that we develop (and everyone should use!) does consider ARNs as private material.

Luckily, you have choices here. You can store ARNs in GitHub repository or organization secrets, you can take a look at using environments and environment secrets, you can hard code them into your workflow files, or you can write them in your source (configurable or not). Which you choose to do will depend on the security practices for your project (and for Amazon employees, your security review with our internal security team(s)). Just absolutely do not share AWS Secret Access Keys!!

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.