dan*_*alk 19 amazon-iam openid-connect
与此策略问题ForAnyValue:StringLike类似,是否可以在同一联合 OIDC 提供商策略声明条件中定义多个值?
具体来说,我尝试允许来自GitHub Actions OIDC 的多个主题,以允许来自特定存储库或分支的操作针对 AWS 资源运行操作。
(主题)字段sub用于填充声明。
在每个配置 AWS 凭证操作的条件中使用单个值(即单个存储库),可以按预期工作:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::12345678901:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:myorg/myrepo:pull_request"
}
}
}
]
}
而使用ForAnyValue:StringLike多个值会产生错误Not authorized to perform sts:AssumeRoleWithWebIdentity:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::12345678901:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"ForAnyValue:StringLike": {
"token.actions.githubusercontent.com:sub": [
"repo:myorg/myrepo:ref:refs/heads/test-branch-1",
"repo:myorg/myrepo:ref:refs/heads/test-branch-2"
]
}
}
}
]
}
策略语法是正确的,github 操作工作流程不正确,我需要使用on.push.branches和指定分支名称,pull_request行为不同。
on:
push:
branches: [ test-branch-2, test-branch-1 ]
jobs:
tmp:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
# Prepare AWS credentials using OIDC provider (uses id-token and contents)
- uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
aws-region: eu-west-2
- run: aws s3 ls s3://my-bucket
| 归档时间: |
|
| 查看次数: |
5682 次 |
| 最近记录: |