Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A concern for secrets security #43

Open
barywhyte opened this issue Sep 2, 2022 · 2 comments
Open

A concern for secrets security #43

barywhyte opened this issue Sep 2, 2022 · 2 comments

Comments

@barywhyte
Copy link

barywhyte commented Sep 2, 2022
edited
Loading

This is not an issue. Please pardon me as I do not know where to put this

So I am implementing Github OpenID connect to retrieve secrets from AWS secretsmanager instead AWS user that uses AWS credentials. I do not want to store any secrets using Github secret. It also look like OpenID Connect is Git action's preferred method of authentication into AWS. So I went for it with terraform aws_iam_openid_connect_provider resource as seen https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider

Here is my workflow after deploying the AWS role

jobs:
  trigger-build:
    runs-on: ubuntu-latest

    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: us-east-1
          role-to-assume: arn:aws:iam::{aws_account_id}:role/AWSRole
          audience: sts.amazonaws.com

      - name: Read secrets from AWS Secrets Manager into environment variables
        uses: bitovi/[email protected]
        with:
          secrets: |
            my_secret
          parse-json: true
      - name: Trigger Pipeline
        env:
          CIRCLE_BRANCH: ${{ github.head_ref }}
          TOKEN: ${my_secret}

My concern/question (and please forgive my naivety) is that: is it possible for an attacker to copy this entire code and use it in a different git action jobs to access my secrets `my_secret'? I don't seems to find additional protection for this chunk of code
@operatorequals
Copy link

First of all, you might need to fix your text's format. The question is hidden in code as you did enter ``` with indentation.

Secondly, it has to do with the Role's Assume Policy. The role can have an Assume Policy that prevents access from other repositories. You can see an example below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GithubRepositoryAccess",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::[...]:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
                    "token.actions.githubusercontent.com:sub": "repo:<USERNAME>/<REPO>:*"
                }
            }
        }
    ]
}

This one allows access to assume the AWS Role only from <USERNAME>/<REPO> repository workflows.

Hope I helped!

@barywhyte
Copy link
Author

@operatorequals That helped! Thank you! And thanks too for the correction about text alignment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@operatorequals @barywhyte