Demonstrate how GitHub OIDC token getting should be included in boto3

Overview

boto3 should add direct support for AssumeRoleWithWebIdentity for GitHub Actions

There is a aws-actions/configure-aws-credentials action that will get AWS credentials for you based on STS.AssumeRoleWithWebIdentity, and put the credentials in environment variables. I see two problems with this:

  • You need to put a whole step in your job definition. Why can't it just be environment variables? Or a config file in the repo, just like the ~/.aws/config file you use elsewhere?
  • You can't use more than one role at a time. At best, you would need to serialize your use of multiple roles, separated by steps to assume those different roles.

This repo demonstrates how we can solve both problems in botocore. botocore would add a new CredentialProvider. See the demo action and the demo code, the changes for botocore, and the logs for a run.

This implementation would give you two options:

Environment variables

This is the simplest method. You would set AWS_ROLE_ARN=arn:aws:iam::123456789012:role/MyRole (using your role ARN, of course) and AWS_WEB_IDENTITY_TOKEN_SERVER=GitHub in the environment, and it would get picked up. You can optionally set AWS_ROLE_SESSION_NAME as well.

Note you can do this today for web identity, except that it only works with token files and the AWS_WEB_IDENTITY_TOKEN_FILE environment variable. Indeed, Aidan Steele used this method a blog post to make GitHub actions work, before the AWS-created action was available.

Config file

An alternative, which would also support multiple roles, is a config file. The format for profiles would look like this:

[default]
role_arn = arn:aws:iam::123456789012:role/MyRole
web_identity_token_server = GitHub
region = us-east-2

(Note: role_session_name is optional in these profiles, but I set it in the config file to help differentiate which profile is being used).

Unfortunately, this requires one additional piece of configuration. The root of the checked-out repository is /home/runner/work/github-actions-boto3-demo/github-actions-boto3-demo while ~/.aws/config resolves to /home/runner/.aws/config. This means you need to set AWS_CONFIG_FILE=.github/workflows/aws_config (or whatever the path for the config file in the repo is) in the environment.

See the config file for examples.

Audience

The default audience for the OIDC token is the repo URL, which is a little weird. The audience is who should be receiving the token, which for us is the role(s) we're assuming. On the AWS side, the OIDC provider can have a list of audiences it will accept.

It should be something like the application on the destination side of the role assumption, ideally like the CloudFormation stack name that the role is in. But absent that I'd say it should be the STS service principal, sts.amazonaws.com.

But as far as I can tell, any value provided to the GitHub OIDC token vendor other than sigstore (no idea what that's for) returns an error, including the default audience value of the repo URL.

But I've provided the ability to set the audience manually, by adding a comma-separated value at the end of the token server config value (either web_identity_token_server in the config file or AWS_WEB_IDENTITY_TOKEN_SERVER in the enviornment). See the config file for examples of this (using sigstore).

Manual config

AWS might object to baking in knowledge of a 3rd party provider, so I also allowed for this to be generic. Instead of a convenient "GitHub" value for web_identity_token_server, you provide a comma-separated list of the environment variables for the URL and for the token. The code then parses the configuration from this, rather than storing direct knowledge of GitHub in the code. It's then generic, rather than GitHub-specific, but requires basically a magic incantation that people would have to copy and paste. You could even take that further and make it a base64-encoded JSON object if it needed to be more complicated, a proper opaque config value.

See the config file for examples of the manual configuration.

You might also like...
Seems Like Everyone Is Posting This, Thought I Should Too, Tokens Get Locked Upon Creation And Im Not Going To Fix For Several Reasons

Member-Booster Seems Like Everyone Is Posting This, Thought I Should Too, Tokens Get Locked Upon Creation And Im Not Going To Fix For Several Reasons

Clubhouse API written in Python. Standalone client included. For reference and education purposes only.
Clubhouse API written in Python. Standalone client included. For reference and education purposes only.

clubhouse-py is originally developed for the sake of interoperability. Standalone client is also created with very basic features, including but not limited to the audio-chat

A github actions + python code to extract URLs to code repositories to put into standard form, starting with github

A github actions + python code to extract URLs to code repositories to put into standard form, starting with github ---- NOTE: JUS

GitHub Activity Generator - A script that helps you instantly generate a beautiful GitHub Contributions Graph for the last year.
GitHub Activity Generator - A script that helps you instantly generate a beautiful GitHub Contributions Graph for the last year.

GitHub Activity Generator A script that helps you instantly generate a beautiful GitHub Contributions Graph for the last year. Before ๐Ÿ˜ ๐Ÿ˜ถ ๐Ÿ˜’ After ?

๐Ÿค– Automated follow/unfollow bot for GitHub. Uses GitHub API. Written in python.

GitHub Follow Bot Table of Contents Disclaimer How to Use Install requirements Authenticate Get a GitHub Personal Access Token Add your GitHub usernam

Github-Checker - Simple Tool To Check If Github User Available Or Not
Github-Checker - Simple Tool To Check If Github User Available Or Not

Github Checker Simple Tool To Check If Github User Available Or Not Socials: Lan

You can share your Chegg account for answers using this bot with your friends without getting your account blocked/flagged

Chegg-Answer-Bot You can share your Chegg account for answers using this bot with your friends without getting your account blocked/flagged Reuirement

Assassination API for getting random quotes from Assassination Classroom.
Assassination API for getting random quotes from Assassination Classroom.

Assassination API Take advantage of what you have, while you have it. Quotes from Assassination Classroom Assassination classroom is one of best anime

A course on getting started with the Twitter API v2 for academic research
A course on getting started with the Twitter API v2 for academic research

Getting started with the Twitter API v2 for academic research Welcome to this '101 course' on getting started with academic research using the Twitter

Owner
Ben Kehoe
Cloud Robotics Research Scientist at iRobot | AWS Serverless Hero
Ben Kehoe
Discord-Token-Formatter - A simple script to convert discord tokens from email token to token only format

Discord-Token-Formatter A simple script to convert discord tokens from email:pas

null 2 Oct 23, 2022
Async boto3 with Autogenerated Data Classes

awspydk Async boto3 with Autogenerated JIT Data Classes Motivation This library is forked from an internal project that works with a lot of backend AW

null 1 Dec 5, 2021
Cedric Owens 16 Sep 27, 2022
A zero-dependency Python library for getting the Kubernetes token of a AWS EKS cluster

tokeks A zero-dependency Python library for getting the Kubernetes token of a AWS EKS cluster. No AWS CLI, third-party client or library (boto3, botoc

Chris Karageorgiou Kaneen 6 Nov 4, 2022
Buy early bsc gems with custom gas fee, slippage, amount. Auto approve token after buy. Sell buyed token with custom gas fee, slippage, amount. And more.

Pancakeswap Sniper bot Full version of Pancakeswap sniping bot used to snipe during fair coin launches. With advanced options and a graphical user int

Jesus Crypto 204 Apr 27, 2022
Discord Token Finder - Find half of your target's token with just their ID.

Discord Token Finder - Find half of your target's token with just their ID.

Ttawi 2 Apr 7, 2022
DeKrypt 24 Sep 21, 2022
HackZ-Token-Grabber-V2 - HackZ Token Grabber V2

HackZ-Token-Grabber-V2 was made by Love โŒ code โœ… โ€Ž โ€Ž โ€Ž โ€Ž โ€Ž โ€Ž โ€Ž โ€Ž โ€Ž โ€Ž โ€Ž โ€Ž โ€Ž โ€Ž ??

! โ„ขNightMare 2 Mar 1, 2022
A discord token nuker With loads of options that will screw an account up real bad, also has inbuilt massreport, GroupChat Spammer and Token/Password/Creditcard grabber and so much more!

Installation | Important | Changelogs | Discord NOTE: Hazard is not finished! You can expect bugs, crashes, and non-working functions. Please make an

Rdimo 470 Aug 9, 2022
An Open-Source Discord bot created to provide basic functionality which should be in every discord guild. We use this same bot with additional configurations for our guilds.

A Discord bot completely written to be taken from the source and built according to your own custom needs. This bot supports some core features and is

Tesseract Coding 14 Jan 11, 2022