Github Actions IP Ranges for Whitelist

Hello, we are trying to see if it’s possible to whitelist github actions IP Ranges to ensure that only github actions runners can assume a particular role in AWS. Utilizing the following action: https://github.com/aws-actions/configure-aws-credentials

I’m a little confused by the description for github actions IP Ranges. Described here:
https://docs.github.com/en/actions/reference/virtual-environments-for-github-hosted-runners#ip-addresses-of-github-hosted-runners

First question is that the docs says that the IP Ranges+ServiceTags JSON file is updated weekly. Does that mean the IP Ranges changes every week? Do we need to continuously update our whitelist in line with the values in the JSON? Or now that I’ve downloaded this file, the values in it should remain relatively static?

Second, it says that the IP Address ranges are the same as Azure Data center and uses an example of IP Address prefixes from AzureCloud.eastus2 is AzureCloud synonymous with Azure Data center in this context? and we would just need to find all the IP Ranges in AzureCloud.[eastus, eastus2, westus2...]?

Third, I happened to be scrolling through the list and saw the service ActionGroup is that something different from Github Actions? Or can I use the address prefixes in these lists instead of whitelisting all of Microsoft Azure?

{
      "name": "ActionGroup.EastUS",
      "id": "ActionGroup.EastUS",
      "properties": {
        ...
      }
    },
{
      "name": "ActionGroup",
      "id": "ActionGroup",
      "properties": {
        ...
    },

I found a partial answer to my first question in the fine print:

This file is updated weekly. New ranges appearing in the file will not be used in Azure for at least one week. Please download the new json file every week and perform the necessary changes at your site to correctly identify services running in Azure.

This leads to a follow-up, Is it possible for IP Addresses to drop out of the list every week or is it entirely for adding new ranges. Based on the wording, it seems like it could just be that they may add a new IP every once and a while.

Hi @GoldFlsh,

Glad to see you in Github Community Forum!

  1. Yes, it’s possible for IP address to drop out of the list.
  2. Please see https://github.com/andymckay/actions-ips as an open source library to get and update the list of IPs from the list. We’ll try and keep that up to date as things change. Specifically https://github.com/andymckay/actions-ips/blob/262a439a34e535ae2c77f4cf49cbad270c456d95/ips.py#L25-L32 as the zones we use.
  3. Please ignore AzureCloud.

Thanks.

1 Like

The list is too large to use for my use case, since AWS trust policies have a size limit. But the answer addresses my main confusion around the language in the github docs, thank you :slight_smile:

The whitelist is used to restrict access to protected resources, like private registry. Whitelisting IP ranges of Azure’s regions basically allows entire Azure region to access said resources. This is not a viable practice. I hope GitHub could limit runner IPs to a fixed range.