允许IAM联邦OIDC提供程序为GitHub操作提供多个条件

Question

与这个政策问题类似，是否可以在相同的OIDC提供程序策略声明条件下定义多个ForAnyValue:StringLike值？

具体来说，我试图允许来自GitHub动作OIDC的多个主题，允许来自特定存储库或分支的操作对AWS资源运行操作。

sub (subject)字段用于填充索赔。

在每个配置AWS凭据操作的条件中使用单个值(即单个回购)，按预期工作：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::12345678901:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:myorg/myrepo:pull_request"
        }
      }
    }
  ]
}

而使用多个值的ForAnyValue:StringLike则会产生错误Not authorized to perform sts:AssumeRoleWithWebIdentity。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::12345678901:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "ForAnyValue:StringLike": {
          "token.actions.githubusercontent.com:sub": [
            "repo:myorg/myrepo:ref:refs/heads/test-branch-1",
            "repo:myorg/myrepo:ref:refs/heads/test-branch-2"
          ]
        }
      }
    }
  ]
}

Answer 1

策略语法正确，github操作工作流不正确，我需要使用on.push.branches并指定分支名称，pull_request的行为不同。

on:
  push:
    branches: [ test-branch-2, test-branch-1 ]

jobs:
  tmp:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      # Prepare AWS credentials using OIDC provider (uses id-token and contents)
      - uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          aws-region: eu-west-2
      - run: aws s3 ls s3://my-bucket