Missing token.actions.githubusercontent.com:aud condition in iam role

unfunco / terraform-aws-oidc-github

Terraform module to configure GitHub Actions as an IAM OIDC identity provider in AWS.

https://registry.terraform.io/modules/unfunco/oidc-github/aws/latest

Apache License 2.0

91 stars 51 forks source link

Missing token.actions.githubusercontent.com:aud condition in iam role #21

Closed martijnvdp closed 1 year ago

martijnvdp commented 1 year ago

The IAM role misses a condition as recommended by AWS [Documentation] (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html) currently failing our security sentinel policy because of this

"Condition": {
  "StringLike": {
    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com", <- missing
    "token.actions.githubusercontent.com:sub": "repo:GitHubOrg/*"
  }
}