# Github Actions - Cloud This is a failed research attempt where I tried to explore AWS and GCP Authentication for github-actions. Organizations are using github actions couple with AWS , GCP and other cloud providers. Sample github actions file :- ``` # Sample workflow to access AWS resources when workflow is tied to branch # The workflow Creates static website using aws s3 name: AWS example workflow on: push # permission can be added at job level or workflow level permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout jobs: S3PackageUpload: runs-on: ubuntu-latest steps: - name: Git clone the repository uses: actions/checkout@v3 - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v1 with: role-to-assume: arn:aws:iam::12345678910:role/GuruGitHubCICDRole aws-region: us-east-1 ``` This `yaml` template is a basic template where STS tokens are fetch from the Role and used for later stages. At backend, owner of this AWS Account has to create a Role called `GuruGithubCICDRole` with trust relationship as :- ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::xxxxxxxxxx:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" } } } ] } ``` As clear from trust relationship, there is no linking between the target githib repository meaning anyone should be able to creation this action and create a github action that should be able to assume this role. My hypothesis : Since anyone can create this role, I should be able to assume any such role using my personal github actions on my account. All I need is Role ARN and the region which would be publicly exposed in actions files as shown above. Result : After trying for first time it threw a AccessDeniedException which indicated something I missed. Turns out AWS has this recommendation where they recommend customers to add one more field called `token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*` which technically dictates from which github accout and which repository can be allowed to use this role in their Github account. Similar result was obtained for GCP as well. But turns out unlike GCP AWS has made not this sub field compulsory which means there will be some Github Repositories that can be exploited in similar manner. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://seg-fault.gitbook.io/researchs/failed-research-attempts/github-actions-cloud.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.