Pass session tags to AWS using OIDC Connect

[jsimoni]

I would like to be able to pass session tags to AWS with the GitHub OIDC Connect feature. I was able to do this with the old Access Keys by using https://github.com/aws-actions/configure-aws-credentials#session-tagging

However, the AWS OIDC Provider uses the AssumeRoleWithWebIdentity operation which requires the session tags in the JSON Web Token (JWT) (which is generated by GitHub).

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role-idp

[ethomson]

Thanks @jsimoni, I'll pass this along to the team responsible for OIDC.

[roskelleycj]

@ethomson I'm in the same boat as @jsimoni, in that I can add the following to my job:

      - name: Dump JWT
        run: |
          IDTOKEN=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com"|jq -r ".|.value")
          echo $IDTOKEN
          jwtd() {
              if [[ -x $(command -v jq) ]]; then
                  jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< "${1}"
                  echo "Signature: $(echo "${1}" | awk -F'.' '{print $3}')"
              fi
          }
          jwtd $IDTOKEN
          echo "::set-output name=idToken::${IDTOKEN}"

and the JWT does not show the Session Tags contract that AWS AssumeRoleWithWebIdentity expects to see for using those session tags in Role Policies.

And when you review the docs for aws-actions/configure-aws-credentials it says this:

Note that for WebIdentity role assumption, the session tags have to be included in the encoded WebIdentity token. This means that Tags can only be supplied by the OIDC provider and not set during the AssumeRoleWithWebIdentity API call within the Action.

Which has taken me a long time to understand, but it seems to imply that Github OIDC must add these tags to the JWT token that will be used when calling AssumeRoleWithWebIdentity. And if it is not session tags are not available. And in fact MUST be disabled as part of calling the AssumeRoleWithWebIdentity.

So either I'm doing something wrong (which is totally possible, as I've never done OIDC before), OR aws-actions/configure-aws-credentials is doing something wrong OR Github OIDC is doing something wrong. Right now my conclusion is that Github OIDC is the place to push on. And so did @jsimoni.

Of course, I have a hard time believing that @jsimoni and I are the only ones trying to use session tagging w/ Github's OIDC, so I'm thinking we just don't know how to do it properly.

[roskelleycj]

Just another note. Trying to follow AWS docs I came across this endpoint for Github OIDC:

https://token.actions.githubusercontent.com/.well-known/openid-configuration

And if you execute a curl on that endpoint you find that it returns the list of claims_supported and you will note that https://aws.amazon.com/tags is not listed. 🤷

[roskelleycj]

Added similar thread on aws-actions/configure-aws-credentials

[roskelleycj]

Looks like others found a similar issue and made a work around that is not very pretty: https://github.com/glassechidna/ghaoidc

[ScottGuymer]

+1 for this.

It would be an amazing feature to be able dynamically provide access to resources based on for instance the repository name. By using OIDC we increase security significantly.

For our 8k+ repos it's not feasible to create individual policies.

[roskelleycj]

@ethomson is this somewhere on the roadmap? I see that OIDC customization was added recently. That is great! Just curious how the JWT could be customized in a very similar manner? This would be so powerful and useful to control security associated between AWS Cloud and GitHub Actions for an Enterprise/Org/Repo. 😊

[elduds]

Adding my and my enterprise employer's +1 to this issue. Have also raised a Premium Support ticket #2047747

[ronanj2]

Hi @elduds , did you get sorted here?