Weak GitHub OIDC Claim Verification

Ensure IAM policies to integrate with GitHub's OIDC provider validate the subject claim to limit the context in which the role can be assumed. If there are no conditions or the condition is too permissive, it could allow unintended repositories to assume the role.

When creating a role that is granted to all repositories of an organization, ensure the role associated with such policy grants minimal permissions as any organization member with write access to a repository can execute an arbitrary GitHub Action workflow to assume the role. Roles with more permissions should be restricted to workflows that are running on a protected branch or tag.

Examples

Insecure Example

data "aws_iam_policy_document" "allow_any_repositories" {
  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]

    principals {
      type = "Federated"
      identifiers = ["arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com"]
    }

    condition {
      test     = "StringLike"
      variable = "token.actions.githubusercontent.com:sub"
      values   = ["repo:*"]
    }

  }
}

Secure Example

data "aws_iam_policy_document" "allow_main_branch_on_org" {
  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]

    principals {
      type = "Federated"
      identifiers = ["arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com"]
    }

    condition {
      test     = "StringLike"
      variable = "token.actions.githubusercontent.com:sub"
      values   = ["repo:org/*:ref:refs/heads/main"]
    }

  }
}

More information

• GitHub Documentation - About security hardening with OpenID Connect
• AWS Documentation - Configuring a role for GitHub OIDC identity provider