Allow the use of custom claims like job_workflow_ref issued by GHA while assuming IAM role

[guptavasu1213]

Describe the feature

Whenever we're assuming an IAM role through this action, we are not able to use all the custom claims provided by GitHub in its OIDC token.

For example: job_workflow_ref is a part of the following GitHub OIDC token, but we cannot refer to job_workflow_ref in the trust policy of an IAM role as the OIDC request to IAM doesn't contain that custom claim:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "example-thumbprint",
  "kid": "example-key-id"
}
{
  "jti": "example-id",
  "sub": "repo:octo-org/octo-repo:environment:prod",
  "environment": "prod",
  "aud": "https://github.com/octo-org",
  "ref": "refs/heads/main",
  "sha": "example-sha",
  "repository": "octo-org/octo-repo",
  "repository_owner": "octo-org",
  "actor_id": "12",
  "repository_visibility": "private",
  "repository_id": "74",
  "repository_owner_id": "65",
  "run_id": "example-run-id",
  "run_number": "10",
  "run_attempt": "2",
  "runner_environment": "github-hosted"
  "actor": "octocat",
  "workflow": "example-workflow",
  "head_ref": "",
  "base_ref": "",
  "event_name": "workflow_dispatch",
  "ref_type": "branch",
  "job_workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
  "iss": "https://token.actions.githubusercontent.com",
  "nbf": 1632492967,
  "exp": 1632493867,
  "iat": 1632493567
}

I try to assume the role like:

    - name: configure aws credentials
      uses: aws-actions/configure-aws-credentials@v3
      with:
        role-to-assume: arn:aws:iam::123456789:role/role-to-assume-through-oidc
        aws-region: us-east-1

And I want to assume the role when the trust policy looks like (or something along these lines):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456789:oidc-provider/enterprise.domain.com/_services/token"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "enterprise.domain.com/_services/token:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "enterprise.domain.com/_services/token:sub": "repo:*/*:job_workflow_ref:path_to_reusable_workflow@tag"
                }
            }
        }
    ]
}

Use Case

There are wild workarounds like this that are built to resolve this issue, but would be ideal to have a simple solution built for it. It would be awesome to query by different custom claims in the trust policy of the roles to make the role assumption more fine-grained.

One typical use case:

• There's one repo (call it Repo A) that has a reusable workflow to deploy resources
• There are 2 other repos (call it Repo B and C) that import the reusable workflow by Repo A in their own workflows.
• Repo A's reusable workflow assumes certain roles that are highly privileged, so we don't want Repo A's workflow to be used by anyone malicious. Therefore, we have an allowed list of repos that can use it.
• Let's say C is a malicious repo, so we don't want it to use the dev branch of the reusable workflow and temporarily add it's repo C to the allowed list.
• We always want the repos B and C to use the main branch version of the reusable workflow. The way we can enforce this is by checking the job_workflow_ref keyword while assuming the privileged role.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

[peterwoodworth]

The docs here indicate what you can do with claim keys. Please see this issue for more information

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.