AWS cannot filter for many claim keys in trust policies

[tve]

I'm trying to match the GITHUB_ACTOR in my IAM trust relationship policy and cannot make it work. Is this supposed to work? The trust policy I have is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::00000000:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:actor": "tve",
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
}

The error I get is:

Run aws-actions/configure-aws-credentials@master
Error: Not authorized to perform sts:AssumeRoleWithWebIdentity

In my workflow I print ${{ github.actor }} and it matches what I have in the trust policy. Is there a way to get a log of the actual JWT token that IAM receives?

[mikeviviani]

Hi,
Looking at your IAM role, I do think your aud is not the correct one.
Based on the documentation ### (https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) aud contains your GH Org

"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "https://github.com/octo-org",
"token.actions.githubusercontent.com:sub": "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"

Mike

[tve]

@mikeviviani yeah, except that documentation is completely wrong... If I remove the "actor" match in my policy and just leave the "aud" match it works (just is insecure). The "sub" match in that documentation isn't even valid json...
(I don't remember where I got the aud match for sts.amazonaws.com from Edit: the "sts.amazonaws.com" aud match comes from #280 (comment))

[yotixify]

I am having the same issue as well when adding a conditional for the actor tag. When I remove the actor tag I have no issues and the sub conditional works fine, when the actor tag is added into the conditional I get the following error:

Run aws-actions/configure-aws-credentials@master
Error: Not authorized to perform sts:AssumeRoleWithWebIdentity

Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::000000000000:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "token.actions.githubusercontent.com:actor": "yotixify",
          "token.actions.githubusercontent.com:sub": "repo:orgname/zz-*"
        }
      }
    }
  ]
}

[yotixify]

Update

After some more testing it looks like the token.actions.githubusercontent.com:actor key is either missing or null in the policy condition. I dumped a jwt token from the OIDC connector to verify that the actor tag was in the jwt from the provider so it is getting passed into aws. However when I change the conditional to a Null action with a value of true instead of a StringLike the condition passes and github actions is able to assume the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::000000000000:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:orgname/zz-*"
        },
        "Null": {
          "token.actions.githubusercontent.com:actor": "true"
        }
      }
    }
  ]
}

Is there something on the AWS side that is dropping that value?

[CallumHibbert]

@yotixify I can't even get the token.actions.githubusercontent.com:sub condition to work.

My solution works without any conditions (big security hole) but as soon as I add a condition on token.actions.githubusercontent.com:sub it fails (I'm very sure I have the test value correct).

Which version of aws-actions/configure-aws-credentials are you referencing? I'm referencing @master, do you have something else?

Thanks.

[yotixify]

Im currently referencing master, I am not at my computer but i can provide a cloudformation template example that limits it by repostory name. Not ideal for scalability but works in a pinch. I plan to open a ticket with AWS on this issue in Monday related to the '''actor''' tag.

[CallumHibbert]

Thanks for coming back to me. Interesting that you are using @master too.

Do you happen to know if repo:my-org-name-here/* is valid to restrict by Org as a proof of concept (agree that tigher restrictions might make sense in a production implementation)?

As far as I can tell that is a valid test value for token.actions.githubusercontent.com:sub but it won't work for me.

Thanks.

[CallumHibbert]

OK, so its case sensitive and that was the problem all along. Thanks.

[tve]

so its case sensitive and that was the problem all along

What is case-sensitive? Did you get the actor match to work?

[CallumHibbert]

Sorry, I should have been clearer, case sensitivity on the token.actions.githubusercontent.com:sub match in the AWS conditions that I was having trouble with (bringing me to this thread originally).

[martijngastkemper]

I mixed up StringEquals and StringLike

Doesn't work:

"Condition": {
  "StringEquals": {
    "token.actions.githubusercontent.com:sub": "repo:ORG/REPO:*"
  }
}

Works:

"Condition": {
  "StringLike": {
    "token.actions.githubusercontent.com:sub": "repo:ORG/REPO:*"
  }
}

[rsclarke-vgw]

Was there further guidance on getting the actor conditional claim to work? I'm equally trying with workflow to no avail.

[mungojam]

Was there further guidance on getting the actor conditional claim to work? I'm equally trying with workflow to no avail.

I'm having the same problem with token.actions.githubusercontent.com:repository_owner. To me it seems that it's a bug in AWS itself. I can see the property in the token itself when I decode it, but IAM doesn't appear to think it exists. You can verify that by changing the condition to StringEqualsIfExists which then passes because IAM doesn't see it for some reason.