Limit access to sts:AssumeRoleWithWebIdentity with conditions at AWS

Build Environment
1

I am working on the implementation of CI/CD pipelines and increasing security for them and one of the features which were finally made is OpenID connect tokens (ref. documentation).

So my goal is to use STS temporarily credentials and I want to restrict access to assume roles with a specific project and not only for the whole organization.

Here is an example of .circleci/config.yml:

version: 2.1
orbs:
  aws-cli: circleci/aws-cli@2.1.0

jobs:
  check_web_identity:
    machine:
      docker_layer_caching: false
      image: ubuntu-2004:202111-02
    steps:
      - checkout
      - aws-cli/install:
          disable-aws-pager: true
          override-installed: true
      - run:
          name: Build lambdas
          command: |
            STS=($(aws sts assume-role-with-web-identity \
            --role-arn ${ROLE_ARN} \
            --role-session-name "CircleCI-${CIRCLE_PROJECT_REPONAME}" \
            --web-identity-token $CIRCLE_OIDC_TOKEN \
            --duration-seconds 3600 \
            --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \
            --output text))
            echo "export AWS_ACCESS_KEY_ID=${STS[0]}" >> $BASH_ENV
            echo "export AWS_SECRET_ACCESS_KEY=${STS[1]}" >> $BASH_ENV
            echo "export AWS_SESSION_TOKEN=${STS[2]}" >> $BASH_ENV
            source $BASH_ENV
            aws sts get-caller-identity

workflows:
  build:
    jobs:
      - check_web_identity:
          context: Check Web Identity

In context Check Web Identity stored RoleARN from AWS.

In the AWS account I have created an Idp connection and also a specific Role which has next Trust Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<aws_account>:oidc-provider/oidc.circleci.com/org/<here_is_my_aud>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "oidc.circleci.com/org/<here_is_my_aud>:aud": "<here_is_my_aud>",
                    "oidc.circleci.com/org/<here_is_my_aud>:oidc.circleci.com/project-id": "<here_is_project_id>"
                }
            }
        }
    ]
}

Everything is working fine and I can receive credewntials but condition for additional claim oidc.circleci.com/project-id is ignored. Maybe someone solved this issue? Or this part should be discussed with AWS support?

2

Ok, I have found a solution myself :slight_smile: As usual, after checking the documentation better.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<aws_account>:oidc-provider/oidc.circleci.com/org/<here_is_my_aud>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "ForAllValues:StringLike": {
                    "oidc.circleci.com/org/<here_is_my_aud>:sub": "org/<here_is_my_aud>/project/<here_is_project_id>/user/*",
                    "oidc.circleci.com/org/<here_is_my_aud>:aud": "<here_is_my_aud>"
                }
            }
        }
    ]
}

This role assumption policy works as expected.

1 Like
3

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.