TechQA.

AWS OIDC policy for multiple repositories?

93 views Asked by At

I am trying to allow access to an AWS service for Github Actions in multiple repositories via OIDC. Here is the current policy that works with 1 repository:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<id>:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:username/myrepo:*"
                }
            }
        }
    ]
}

My question is, how can we allow this policy for multiple repositories? Duplicating "token.actions.githubusercontent.com:sub": "repo:username/myrepo:*" does not seem to work, the console editor shows an error.

amazon-web-services openid-connect identity-management aws-policies
Original Q&A
1

There are 1 answers

0
Caldazar On BEST ANSWER

To be able to use multiple possible values for same key, you need to use arrays:

"StringLike": {
    "token.actions.githubusercontent.com:sub": [
        "repo:username/myrepo1:*",
        "repo:username/myrepo2:*"
        ]
    }

With multiple values for the same context key, AWS is evaluating that with OR, so this would allow access from myrepo1 and myrepo2

Related Questions in AMAZON-WEB-SERVICES

Related Questions in OPENID-CONNECT

Related Questions in IDENTITY-MANAGEMENT

Related Questions in AWS-POLICIES

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions