Pass session tags to AWS using OIDC Connect

[jsimoni]

I would like to be able to pass session tags to AWS with the GitHub OIDC Connect feature. I was able to do this with the old Access Keys by using https://github.com/aws-actions/configure-aws-credentials#session-tagging

However, the AWS OIDC Provider uses the AssumeRoleWithWebIdentity operation which requires the session tags in the JSON Web Token (JWT) (which is generated by GitHub).

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role-idp

[ethomson]

Thanks @jsimoni, I'll pass this along to the team responsible for OIDC.

[roskelleycj]

@ethomson I'm in the same boat as @jsimoni, in that I can add the following to my job:

      - name: Dump JWT
        run: |
          IDTOKEN=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com"|jq -r ".|.value")
          echo $IDTOKEN
          jwtd() {
              if [[ -x $(command -v jq) ]]; then
                  jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< "${1}"
                  echo "Signature: $(echo "${1}" | awk -F'.' '{print $3}')"
              fi
          }
          jwtd $IDTOKEN
          echo "::set-output name=idToken::${IDTOKEN}"

and the JWT does not show the Session Tags contract that AWS AssumeRoleWithWebIdentity expects to see for using those session tags in Role Policies.

And when you review the docs for aws-actions/configure-aws-credentials it says this:

Note that for WebIdentity role assumption, the session tags have to be included in the encoded WebIdentity token. This means that Tags can only be supplied by the OIDC provider and not set during the AssumeRoleWithWebIdentity API call within the Action.

Which has taken me a long time to understand, but it seems to imply that Github OIDC must add these tags to the JWT token that will be used when calling AssumeRoleWithWebIdentity. And if it is not session tags are not available. And in fact MUST be disabled as part of calling the AssumeRoleWithWebIdentity.

So either I'm doing something wrong (which is totally possible, as I've never done OIDC before), OR aws-actions/configure-aws-credentials is doing something wrong OR Github OIDC is doing something wrong. Right now my conclusion is that Github OIDC is the place to push on. And so did @jsimoni.

Of course, I have a hard time believing that @jsimoni and I are the only ones trying to use session tagging w/ Github's OIDC, so I'm thinking we just don't know how to do it properly.

[roskelleycj]

Just another note. Trying to follow AWS docs I came across this endpoint for Github OIDC:

https://token.actions.githubusercontent.com/.well-known/openid-configuration

And if you execute a curl on that endpoint you find that it returns the list of claims_supported and you will note that https://aws.amazon.com/tags is not listed. 🤷

[roskelleycj]

Added similar thread on aws-actions/configure-aws-credentials

[roskelleycj]

Looks like others found a similar issue and made a work around that is not very pretty: https://github.com/glassechidna/ghaoidc

[ScottGuymer]

+1 for this.

It would be an amazing feature to be able dynamically provide access to resources based on for instance the repository name. By using OIDC we increase security significantly.

For our 8k+ repos it's not feasible to create individual policies.

[roskelleycj]

@ethomson is this somewhere on the roadmap? I see that OIDC customization was added recently. That is great! Just curious how the JWT could be customized in a very similar manner? This would be so powerful and useful to control security associated between AWS Cloud and GitHub Actions for an Enterprise/Org/Repo. 😊

[elduds]

Adding my and my enterprise employer's +1 to this issue. Have also raised a Premium Support ticket #2047747

[ronanj2]

Hi @elduds , did you get sorted here?

[nebuk89]

No comments recently I know but let me poke this and see where we are at

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐