Assumes roles in AWS that have useful role session tags

Overview

ghaoidc

Assumes roles in AWS that have useful role session tags

GitHub Actions has (almost) launched OpenID Connect federation. This means you can assume a role in AWS without needing to store long-lived credentials as secrets in your GitHub repository. This is really great, but it could be even better. The JWT issued by GHA contains lots of useful claims, but STS AssumeRoleWithWebIdentity can't use most of them. Hence this project.

This project is two parts: First, an API Gateway with JWT auth (with GHA as the issuer) and a Lambda function behind it that assumes roles using those claims as role session tags. Second, a GHA "action" that acts as the client of that API and requests credentials to be used in a workflow.

Usage

Deploy the API Gateway and Lambda using the api.yml CloudFormation template. I recommend creating a brand new AWS account solely for this purpose. The template has some inline documentation. TODO: Include build instructions and an AWS SAR application once I'm happy I don't want to make massive changes.

Next, create roles that your GHA workflows will be assuming. Look at example.yml for guidance on a trust policy.

Finally, include the GHA action in your workflows. A "hello world" example looks like:

name: Example
on:
  push:

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/[email protected]
      
        # this actions sets AWS_* environment variables for later steps
      - uses: glassechidna/[email protected]
        with:
          apiUrl: ${{ secrets.CREDENTIALS_URL }}
          roleArn: arn:aws:iam::0123456789012:role/DeploymentRole
        
      - run: aws sts get-caller-identity --region us-east-1

There's also an optional transitiveTags input parameter. It's worth noting that you can choose to make the either apiUrl, roleArn, both or neither values secret. It's just a tradeoff on usability.

How?

TODO: flesh out explanation.

architecture diagram

Why?

TODO: flesh out spiel. Two main reasons: you get highly enriched entries in CloudTrail and can trace actions back to specific GHA jobs with ease. Also, you can use the session tags as variables in your IAM policies. This allows you to parameterise your deployment IAM roles, giving you highly granular and isolated permissions without needing a 1:1 mapping of repositories to roles.

Caveats

While building this I learned that AWS STS enforces a limit of approximately 500 bytes on the combined total of role session tag keys and values. Which the complete GHA OIDC JWT exceeds. You can choose which values to pass through as tags in the CFN template - I've selected what I think are useful defaults.

I hate this

Honestly, kinda the same. I'd prefer it not to exist. I highly recommend filing a feature request with AWS asking for the ability to map arbitrary claims in OIDC tokens to role session tags in sts:AssumeRoleWithWebIdentity. If we all nag enough, maybe they'll do it.

Comments
Owner
Glass Echidna
Glass Echidna
AWS Tags Updater - Sync tags with all resources via sheet 🐏🐏

AWS Tags Updater - Sync tags with all resources via sheet ????

PePoDev 1 Mar 22, 2022
Assume AWS IAM roles from GitHub Actions workflows with no stored secrets

AWS IAM roles for GitHub Actions workflows Background and rationale GitHub Actions are a pretty nice solution for CI/CD. Where they fall short is inte

Glass Echidna 171 Feb 12, 2022
Contact-api - API for websites I have designed that have to send unauthenticated email

contact https://aws.amazon.com/premiumsupport/knowledge-center/custom-headers-ap

Noah Varghese 0 Apr 11, 2022
Graph Role-Based Access Control by Animeshon

gRBAC - Graph Role-Based Access Control A cloud-native graph implementation of the Role-Based Access Control (RBAC) authorization architecture powered

gRBAC 18 Jul 28, 2022
A Pulumi multi language component to create an IAM role for an EKS cluster

xyz Pulumi Component Provider (Go) This repo is a boilerplate showing how to create a Pulumi component provider written in Go. You can search-replace

Lee Briggs 0 Oct 27, 2021
Useful AWS access key attribution tool

whodunnit Working towards this: https://twitter.com/__steele/status/1410437278489477120. Dumping code now to validate if it's useful or not before inv

Glass Echidna 7 Jan 1, 2022
Simple no frills AWS S3 Golang Library using REST with V4 Signing (without AWS Go SDK)

simples3 : Simple no frills AWS S3 Library using REST with V4 Signing Overview SimpleS3 is a golang library for uploading and deleting objects on S3 b

Rohan Verma 92 Sep 7, 2022
Integrate AWS EKS Anywhere cluster with AWS Services

This article provides step-by-step instruction on integrating AWS EKS Anywhere with AWS Services so the applications running on customer data center can securely connect with these services.

Hari Ohm Prasath 2 Mar 6, 2022
Apis para la administracion de notifiaciones, utilizando servicios como AWS SNS y AWS SQS

notificacion_api Servicio para envío de notificaciónes por difusión en AWS SNS Especificaciones Técnicas Tecnologías Implementadas y Versiones Golang

Universidad Distrital Francisco José de Caldas 0 Jan 7, 2022
A package for access aws service using AWS SDK for Golang

goaws ?? A package for access aws service using AWS SDK for Golang Advantage with goaws package Example for get user list IAM with AWS SDK for Golang

Muhammad Ichsanul Fadhil 1 Nov 25, 2021
Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.

tutor-pet API Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure. Macro architecture: Code architecture: Pre-Re

Lucas Ferreira 3 Aug 17, 2022
Aws-parameter-bulk - Export AWS SSM Parameter Store values in bulk to .env files

aws-parameter-bulk Utility to read parameters from AWS Systems Manager (SSM) Par

Adam Malik 15 Sep 13, 2022
null 2 Feb 7, 2022
Aws-cognito-demo-go - Source code for AWS Cognito in Go

AWS Cognito Demo in Go Source code for YouTube series, AWS Cognito in Go - https

null 2 Aug 31, 2022
Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

Emilio del Cañal Calleja 4 May 7, 2022
Aws-cdk-go-examples - Example projects using the AWS CDK by Golang

aws-cdk-go-examples Example projects using the AWS CDK by Golang Useful commands

null 0 Aug 23, 2022
No need for IAM users when we have Yubikeys

cloudkey As far as I can tell, the only justification for AWS IAM users that I hear nowadays is for usage on non-interactive systems outside of AWS, e

Aidan Steele 147 Sep 16, 2022
This repository will have code implemented for the 100 days of golang.

golang_100 This repository will have code implemented for the 100 days of golang. The resources I will use to do this 100 days golang programming are:

Vasileios Tsakalos 0 Jan 10, 2022
An experiment which attempts to create streams similar to what is available in Java now that we have generics in Go.

go-streams An experiment which attempts to create streams similar to what is available in Java now that we have generics. Should I use this library? N

Filip Borkiewicz 8 Aug 9, 2022