Permissions based repository without organization name #1039
Replies: 1 comment
-
|
I am looking over the github docs as to what is contained in the token at least, https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect Basically I can restrict access based on patterns easily using things like wildcards so I can be real granular as to allowing the role to be used, but then when it comes time to restricting the resource I can't figure out a way to limit it based on a subset of what is provided. Basically allowing my-org:repo-name-* to use the role, but only allow it to write to its specific path such as s3://my-bucket/repo-name-1/ for repo-name-1 and s3://my-bucket/repo-name-2/ for repo-name-2 etc. |
Beta Was this translation helpful? Give feedback.
-
I have been using this role, and I would like for it to be a bit more strict 1:1 where my s3 path patches the repository name. Currently I have my role in AWS that hard codes the s3 paths and I have to keep it updated every time a new repo is spin up.
What I would like to do is have a reference to the repository that is doing the s3 deployment so I can use a single role and the same action files when we spin up a new repository.
I tried something like
arn:aws:s3:::bucket-name/${aws:PrincipalTag/repository}/*in my resource statement but realized afterwards why it isn't working was because that includes the organization in front of it such as MyOrg/my-repo-name and I want it to just be my-repo-name. Is there anything else available similar to that which doesn't have the org attached, or a way to match it in IAM?I'm trying to make this as simple as possible for people on my team, and to prevent outside developers from accidentally (or purposefully) editing our workflow to put files where they shouldn't be.
Beta Was this translation helpful? Give feedback.
All reactions