-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws-iam: Unable to use sts:AssumeRoleWithWebIdentity to assume a role #31128
Labels
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
Comments
RichardoC
added
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
labels
Aug 16, 2024
github-actions
bot
added
the
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
label
Aug 16, 2024
1 task
Not needed, instead use the following const githubActionsRole = new cdk.aws_iam.Role(this, "GithubActionsRole", {
roleName: "GithubActionsRole", // Must be static to make cross account auth easier
assumedBy: new cdk.aws_iam.PrincipalWithConditions(
new cdk.aws_iam.WebIdentityPrincipal(
`arn:aws:iam::${this.account}:oidc-provider/token.actions.githubusercontent.com`
),
// It's important that this role is locked down to only our github orgs, as otherwise anyone on github could use permissions on our AWS infrastructure.
{
StringEquals: {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
},
StringLike: {
"token.actions.githubusercontent.com:sub": "repo:example-organisation/*", // This currently allows all repos in the tesslio github org to assume this role.
},
}
),
}); |
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
Describe the bug
Due to
aws-cdk/packages/aws-cdk-lib/aws-iam/lib/role.ts
Line 373 in 9acd528
This matters when using OIDC to assume a role over on AWS as you should only be able to do sts:AssumeRoleWithWebIdentity
Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
Users would be able to set which assumeRoleAction they want to use, as documented in https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html#:~:text=Description-,assumeroleaction,-string
Current Behavior
assumeRoleAction is always sts:AssumeRole
Reproduction Steps
Create a role
The text was updated successfully, but these errors were encountered: