Github Actions - Cloud
Successful research comprises of multiple failed research attempts. Here are some documented failures :)
This is a failed research attempt where I tried to explore AWS and GCP Authentication for github-actions. Organizations are using github actions couple with AWS , GCP and other cloud providers.
Sample github actions file :-
This yaml
template is a basic template where STS tokens are fetch from the Role and used for later stages. At backend, owner of this AWS Account has to create a Role called GuruGithubCICDRole
with trust relationship as :-
As clear from trust relationship, there is no linking between the target githib repository meaning anyone should be able to creation this action and create a github action that should be able to assume this role.
My hypothesis : Since anyone can create this role, I should be able to assume any such role using my personal github actions on my account. All I need is Role ARN and the region which would be publicly exposed in actions files as shown above.
Result : After trying for first time it threw a AccessDeniedException which indicated something I missed. Turns out AWS has this recommendation where they recommend customers to add one more field called token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
which technically dictates from which github accout and which repository can be allowed to use this role in their Github account.
Similar result was obtained for GCP as well. But turns out unlike GCP AWS has made not this sub field compulsory which means there will be some Github Repositories that can be exploited in similar manner.
Last updated