glassechidna / actions2aws Goto Github PK
View Code? Open in Web Editor NEWAssume AWS IAM roles from GitHub Actions workflows with no stored secrets
Assume AWS IAM roles from GitHub Actions workflows with no stored secrets
Hi.
Thank you for sharing your solution 😀.
I just came across your implementation and had a look at your diagram. I’m asking myself how the lambda makes sure the requested credentials are delivered to an action belonging to your repos/org? What’s preventing a malicious GitHub action with any valid GitHub repo and any valid user session token from generating a key pair calling the api and getting your aws creds ?
Any thoughts on this ?
Kind regards
Rocco
Anyone with knowledge of the endpoint url
for lambda and the AWS accountId
has the capability to assume the role. This is because there is no way to verify the token that comes in is actually from github.
Any one can create a Personal Access Token
(as well as any one inside a private org with READ access to any repo for private org repos) which can trick the lambda into granting credentials.
Until GitHub provides the capability to verify token issuer (via OAuth2.0 JWKs for examples), I recommend Do not use this repository to grant access to AWS.
I think this is a very neat idea, great job on coming up with it!
A couple of attacks come to mind, this is one of them.
Could a malicious PR obtain credentials? An attacker:
Or is that what this check is protecting against? The comment mentions forks, I'm not familiar enough with the github api to know if this is protecting against PRs running in the genuine repo but sourced from a fork.
If this is already protected against (and the lambda won't return creds for PRs sourced from forks), then I think it would be worth mentioning in the README.
I think there is a potential attack on the integrity of the public key.
An attacker can call the API at any point, and specify any run/job/step combo for which to search the output for a public key. If they can get their own public key included in the output of any step of any job, they can then obtain creds for the victim's account by calling the API specifying where it should look.
Whilst this won't be exploitable against all workflows, according to Project Zero's research:
almost any project with somewhat complex Github actions is vulnerable to this bug class
It's not obvious to users that if you're using actions2aws then allowing attacker-controlled text to appear in the output of any job grants that attacker access to your AWS account.
One mitigation would be to make the job/step config part of the lambda deployment, so it's not under attacker control.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.