Skip to content

Feature request: inline session policies for assuming role #229

New issue
New issue
Closed
Closed
Feature request: inline session policies for assuming role#229
Labels
effort/mediumThis issue will take a few days of effort to fixfeature-requestA feature should be added or improved.p2
@spyoungtech

Description

@spyoungtech
spyoungtech
opened on Jun 28, 2021

Request

It would be great if this action could support session policies (the Policy parameter for AssumeRole operation) for assumed roles.

Problem being solved

Inline policies help IAM users apply permission boundaries to roles being assumed. This may help prevent accidents in a job or otherwise limit the scope in which the assumed role can be used thus improving security posture.

Use cases

Limiting permissions of a role based on action being taken

For example, a role may be specified as an organization secret with access to update many CloudFormation stacks. An inline policy might be used to reduce the permissions to a subset of resources, such as denying access to RDS resources or denying access when tags do not match expected tags for the project.

An example inline policy denying CloudFormation actions to resources with unexpected tags:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Deny",
         "Action":"CloudFormation:*",
         "Resource":"*",
         "Condition": {"StringNotLikeIfExists": {"aws:ResourceTag/CUSTOM_TAG": "my-tag-value"}}
      }
   ]
}

Limiting source IP for assumed role dynamically

One might use a session policy to ensure the temporary credentials generated by this action are limited to the source IP address of the GitHub action runner. Thus, if the temporary credentials are exfiltrated, they won't be (as) useful to an attacker.

For example, an inline policy may be generated dynamically by resolving the public IP of the GitHub runner, only allowing AWS actions to be taken from the current IP address (could be used with haythem/public-ip action)

Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html

Proposed usage

Usage might look like this:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - name Configure Inline Policy
      id: inline-policy
      uses: FICTIONAL_EXAMPLE@example
      with:
        some-param: value
      # outputs JSON policy string as `.policy`


    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
        aws-region: us-east-2
        role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
        assume-role-policy:  ${{ steps.inline-policy.outputs.policy }}

Metadata

Metadata

Assignees

No one assigned

    Labels

    effort/mediumThis issue will take a few days of effort to fixfeature-requestA feature should be added or improved.p2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions