aripalo / aws-cdk-github-oidc Goto Github PK
View Code? Open in Web Editor NEWCDK constructs to use OpenID Connect for authenticating your Github Action workflow with AWS IAM
License: Apache License 2.0
CDK constructs to use OpenID Connect for authenticating your Github Action workflow with AWS IAM
License: Apache License 2.0
Currently, it is only possible to set one filter per role.
aws-cdk-github-oidc/src/role.ts
Lines 163 to 166 in 53de62a
However I believe it is possible to support an array of filters, like so:
"Condition": {
"ForAnyValue:StringLike": {
"token.actions.githubusercontent.com:sub": [
"repo:myorg/myrepo:ref:refs/heads/test-branch-1",
"repo:myorg/myrepo:ref:refs/heads/test-branch-2"
]
}
(not actually tested, source)
As stated in issue #24, AWS is now handling the GitHub connection verification via trusted root CA and IAM ignores the provided thumbprints.
So the deprecated thumbprints should be now removed.
Release a new v2
major with CDK v2 support
CDK v1 entered maintenance mode a year ago. There should be no need to support it anymore, so we should deprecate the release branch for v1 compatible construct (as it has not even been updated at all).
It seems that the library does not support other partitions than the different one.
I have an implementation for this and I will open a PR soon.
When making a role like so
const githubActionsRole = new GithubActionsRole(this, roleName, {
roleName: roleName,
provider,
owner: 'f',
repo: 'catalog',
filter: 'ref:refs/heads/main'
})
it makes a policy like this
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:f/catalog:ref:refs/head/main"
}
}
but it will not work with github unless it is this
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com/jamf:sub": "repo:f/catalog:ref:refs/heads/main",
"token.actions.githubusercontent.com/jamf:aud": "sts.amazonaws.com"
}
}
behaves similarly with or without the filter defined
GitHub has updated their certificates:
https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/
You can see the thread of challenges for people here:
aws-actions/configure-aws-credentials#357
For temporary workaround:
(GithubActionsIdentityProvider as any).thumbprints = [
'1c58a3a8518e8759bf075b76b750d4f2df264fcd', // 2023-06-27
'6938fd4d98bab03faadb97b34396831e3780aea1',
];
const provider = new GithubActionsIdentityProvider(this, 'GithubProvider');
I cannot make a PR against origin, but essentially here is the fix:
pmoghaddam#1
I extended the code to more natively support overriding going forward.
Hello!
I hope you are doing well!
We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.
Can you enable it, so that we can report it?
Thanks in advance!
PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
I already upgraded to NodeJS v16 locally but forgot to update the NodeJS version in projenrc & nvmrc etc.
You can use https://github.com/mrgrain/jsii-struct-builder to produce your Partial
based on RoleProps
: https://github.com/aripalo/aws-cdk-github-oidc/blob/main/src/iam-role-props.ts
You can see an example here: https://github.com/blimmer/cdk-static-wordpress/blob/372b42e9c9c3eb1bfde8c61afbded0188ca08d6c/.projenrc.ts#L66-L92
Hi there,
Just wanted to let you know, that you can omit the github certificates thumbprints and cdk/aws will fetch them on its own.
I am referring to this lines:
https://github.com/aripalo/aws-cdk-github-oidc/blob/main/src/provider.ts#L20-L23
See also the docs to the thumbprints parameter in the official docs
Type: string[] (optional, default: If no thumbprints are specified (an empty array or undefined), the thumbprint of the root certificate authority will be obtained from the provider's server as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html)
Its probably easier if you stick with that solution as a Constructs Library Maintainer, in case github change its certificate you dont need to maintain thumbprints at all.
NodeJS v14 LTS has reached its end-of-life. Latest Projen requires active LTS version of NodeJS:
In some ways, this could be a major version release (for this construct), but as fixing current vulnerabilities requires updating Projen as well, using NodeJS v14 results in a build error (for this construct):
So, doing this in non-major version bump isn't optimal (and apologies for anyone this may cause trouble) but requiring NodeJS v16 is reasonable requirement (in my mind at least) because:
On that note, I will be enabling DependaBot security update Pull Requests for this repo (I dunno why I've disabled them at some point - probably accident), to hopefully avoid this kind of mess in the future where a lot of depedency updates are required at one go.
Currently Go deployment fails: https://github.com/aripalo/aws-cdk-github-oidc/actions/runs/5744594271/job/15571212677
Might be an issue with expired token or something. Need to investigate later.
Looks like the custom constructs in this library are not taggable. Therefore tags added on the stack or app level don't propagate to resources created by custom constructs in this library.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.