BUG: IAM role is working from unintended branch (Security Breach)

Code to Cloud GitHub Actions
#1

This is my pipeline.yaml truncated till this action:

name: Deploy
on:
  push:
    branches:
      - master
jobs:
  build:
    runs-on: self-hosted
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::***:role/gha-my-role
          aws-region: ap-south-1
          role-session-name: GithubActionsSession
      - name: get-caller-identity
        run: aws sts get-caller-identity

This is my trust relationship for that role:

data "aws_iam_policy_document" "github_policy" {
    statement {
        sid     = 1
        effect  = "Allow"
        actions = ["sts:AssumeRoleWithWebIdentity"]

        principals {
            type        = "Federated"
            identifiers = [
                var.oidc_arn
            ]
        }

        condition {
            test     = "StringLike"
            variable = "token.actions.githubusercontent.com:sub"
            values   = ["repo:${var.org}/${var.repo}:ref:refs/heads/${var.branch}"]
        }
    }

    statement {
        sid     = 2
        effect  = "Allow"
        actions = [
            "sts:TagSession",
            "sts:AssumeRole",
            "sts:AssumeRoleWithWebIdentity"
        ]
        principals {
            type        = "AWS"
            identifiers = [***]
        }

        condition {
            test     = "ArnEquals"
            variable = "aws:PrincipalARN"
            values   = ["arn:aws:iam::***:role/self-hosted-runner-iam-role"]
        }
    }
}

Policy attached to the self-hosted-runner-iam-role is:

{
    "Sid": "1",
    "Effect": "Allow",
    "Action": [
        "sts:AssumeRole",
        "sts:TagSession",
        "sts:AssumeRoleWithWebIdentity"
    ],
    "Resource": "arn:aws:iam::***:role/*"
}

IAM provider config:

# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws
resource "aws_iam_openid_connect_provider" "github_oidc" {
    url = "https://token.actions.githubusercontent.com"
    client_id_list = [
        "sts.amazonaws.com"
    ]
    thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}

And this is the error:

Run aws-actions/configure-aws-credentials@v1
Error: Not authorized to perform sts:AssumeRoleWithWebIdentity

#UPDATE

permissions:
      id-token: write
      contents: read

Also one strange thing I have observed, if I am configuring the role to any specific branch and I don’t define the above permission lines to my workflow file, it’s working fine even if I am triggering the workflow from the other branch.

Example: I have configured an IAM role prod-deploy on AWS with the privileges mentioned above on branch master only. But if I am using the same role from the other branch let’s say main-test it’s working fine until I don’t add this permission block.

Linked Issue: https://github.com/aws-actions/configure-aws-credentials/issues/345

#2

Welcome to the community @ujala-singh! I’ve recategorized your topic to the GitHub Actions category where it will have better visibility among those who may be able to assist you :slight_smile: