Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Allow multiple conditions for IAM Federated OIDC providers for GitHub Actions

Tags:

openid-connect

amazon-iam

Similar to this policy question, is it possible to define multiple ForAnyValue:StringLike values in the same federed OIDC provider policy statement condition?

Specifically, I am trying to allow multiple subjects from GitHub Actions OIDC, to allow actions from specific repositories or branches to run actions against an AWS resource.

The sub (subject) field is used to populate the claim.

Using a single value in the condition per the Configure AWS Credentials Action (i.e. a single repo), works as expected:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::12345678901:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:myorg/myrepo:pull_request"
        }
      }
    }
  ]
}

whereas using ForAnyValue:StringLike with multiple values give the error Not authorized to perform sts:AssumeRoleWithWebIdentity:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::12345678901:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "ForAnyValue:StringLike": {
          "token.actions.githubusercontent.com:sub": [
            "repo:myorg/myrepo:ref:refs/heads/test-branch-1",
            "repo:myorg/myrepo:ref:refs/heads/test-branch-2"
          ]
        }
      }
    }
  ]
}
like image 627
danialk Avatar asked Dec 06 '25 01:12

danialk

1 Answers

The policy syntax is correct, the github action workflow was incorrect, I needed to be using on.push.branches and specifying the branch names, pull_request behaves differently.

on:
  push:
    branches: [ test-branch-2, test-branch-1 ]

jobs:
  tmp:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      # Prepare AWS credentials using OIDC provider (uses id-token and contents)
      - uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          aws-region: eu-west-2
      - run: aws s3 ls s3://my-bucket
like image 189
danialk Avatar answered Dec 09 '25 00:12

danialk
Sign in to Comment

Related questions

Single-Sign Out on Azure AD B2C

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!