search

abhilash1in / aws-secrets-manager-action

Use secrets from AWS Secrets Manager as environment variables in your GitHub Actions workflow
MIT License
68 stars 43 forks source link

A concern for secrets security #43

Open barywhyte opened 2 years ago

barywhyte commented 2 years ago

This is not an issue. Please pardon me as I do not know where to put this

So I am implementing Github OpenID connect to retrieve secrets from AWS secretsmanager instead AWS user that uses AWS credentials. I do not want to store any secrets using Github secret. It also look like OpenID Connect is Git action's preferred method of authentication into AWS. So I went for it with terraform aws_iam_openid_connect_provider resource as seen https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider

Here is my workflow after deploying the AWS role 

jobs:
  trigger-build:
    runs-on: ubuntu-latest

    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: us-east-1
          role-to-assume: arn:aws:iam::{aws_account_id}:role/AWSRole
          audience: sts.amazonaws.com

      - name: Read secrets from AWS Secrets Manager into environment variables
        uses: bitovi/github-actions-aws-secrets-manager@v2.0.0
        with:
          secrets: |
            my_secret
          parse-json: true
      - name: Trigger Pipeline
        env:
          CIRCLE_BRANCH: ${{ github.head_ref }}
          TOKEN: ${my_secret}

My concern/question (and please forgive my naivety) is that: is it possible for an attacker to copy this entire code and use it in a different git action jobs to access my secrets `my_secret'? I don't seems to find additional protection for this chunk of code

operatorequals commented 2 years ago

First of all, you might need to fix your text's format. The question is hidden in code as you did enter ``` with indentation.

Secondly, it has to do with the Role's Assume Policy. The role can have an Assume Policy that prevents access from other repositories. You can see an example below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GithubRepositoryAccess",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::[...]:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
                    "token.actions.githubusercontent.com:sub": "repo:<USERNAME>/<REPO>:*"
                }
            }
        }
    ]
}

This one allows access to assume the AWS Role only from <USERNAME>/<REPO> repository workflows.

Hope I helped!

barywhyte commented 2 years ago

@operatorequals That helped! Thank you! And thanks too for the correction about text alignment.