Github Actions - Cloud

Successful research comprises of multiple failed research attempts. Here are some documented failures :)

This is a failed research attempt where I tried to explore AWS and GCP Authentication for github-actions. Organizations are using github actions couple with AWS , GCP and other cloud providers.

Sample github actions file :-

# Sample workflow to access AWS resources when workflow is tied to branch
# The workflow Creates static website using aws s3
name: AWS example workflow
on:
  push

# permission can be added at job level or workflow level    
permissions:
      id-token: write   # This is required for requesting the JWT
      contents: read    # This is required for actions/checkout
jobs:
  S3PackageUpload:
    runs-on: ubuntu-latest
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v3
      - name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::12345678910:role/GuruGitHubCICDRole
          aws-region: us-east-1

This yaml template is a basic template where STS tokens are fetch from the Role and used for later stages. At backend, owner of this AWS Account has to create a Role called GuruGithubCICDRole with trust relationship as :-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::xxxxxxxxxx:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

As clear from trust relationship, there is no linking between the target githib repository meaning anyone should be able to creation this action and create a github action that should be able to assume this role.

My hypothesis : Since anyone can create this role, I should be able to assume any such role using my personal github actions on my account. All I need is Role ARN and the region which would be publicly exposed in actions files as shown above.

Result : After trying for first time it threw a AccessDeniedException which indicated something I missed. Turns out AWS has this recommendation where they recommend customers to add one more field called token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:* which technically dictates from which github accout and which repository can be allowed to use this role in their Github account.

Similar result was obtained for GCP as well. But turns out unlike GCP AWS has made not this sub field compulsory which means there will be some Github Repositories that can be exploited in similar manner.