search

terraform-module / terraform-aws-github-oidc-provider

Fully configurable terraform module to access AWS APIs from Github Actions through OpenID Connect.
MIT License
12 stars 9 forks source link

Add audicence in the policy condition #87

Open blueprismo opened 3 months ago

blueprismo commented 3 months ago

Bug Report

When I try to set up a simple OIDC provisioning, the policy document only considerates the condition for the token.githubusercontent.com:sub and does not include the *:aud as explicitly stated in the doc (https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy)

Steps to Reproduce:

Just apply anywhere the role

Expected Result:

"Condition": {
  "StringEquals": {
    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
    "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
  }
}

Actual Result:

"Condition": {
  "StringEquals": {
    "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
  }
}
pintxxo commented 1 month ago

Did anybody has a solution to this? Thank you

blueprismo commented 1 month ago

Did anybody has a solution to this? Thank you

I have the mental note to do it at some point in time in a forked repo / on my own! Will keep you updated :)

blueprismo commented 1 month ago

@pintxxo What about this: https://registry.terraform.io/modules/blueprismo/github-oidc-provider/aws/latest? :)