As organizations embrace the cloud and adopt CI/CD pipelines for their software delivery, securing AWS credentials becomes a critical concern. Traditionally, users have configured long-term AWS access keys in their CI pipeline configurations, posing security risks if exposed or compromised. In this blog, we’ll explore a preferred approach that leverages short-term AWS credentials for improved security. We’ll demonstrate with terraform code snippets how to set up an AWS IAM OpenID Connect provider, define an IAM policy for assuming roles, and configure GitHub Actions to use short-term credentials. Let’s dive in!
Typical Approach: Using Long-Term AWS Credentials in CI
In typical CI pipelines, developers have used long-term AWS access keys to authenticate and authorize their CI/CD jobs. These static credentials have been stored as environment variables or secrets within CI pipeline configurations, which poses security vulnerabilities if they fall into the wrong hands. Compromised credentials may lead to unauthorized access, data breaches, or costly infrastructure misuse.
Recommended Approach: Short-Term AWS Credentials in CI
To enhance security, a recommended approach is to leverage short-term AWS credentials with limited access. These short-term credentials have a shorter lifespan, reducing the window of opportunity for unauthorized access. They can be obtained through the AWS Security Token Service (STS) using an identity provider (IdP) like AWS IAM OpenID Connect.
Setting Up AWS IAM OpenID Connect Provider
To get started, we’ll configure an AWS IAM OpenID Connect provider. This allows us to authenticate with AWS using an external identity provider such as GitHub.
data "tls_certificate" "github" {
url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
}
resource "aws_iam_openid_connect_provider" "default" {
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [data.tls_certificate.github.certificates[0].sha1_fingerprint]
url = "https://token.actions.githubusercontent.com"
}
Defining IAM Policy for Assuming Roles
Next, we need to define an IAM policy that grants permission to assume roles. This policy will be attached to the IAM roles used in the CI pipeline.
data "aws_iam_policy_document" "assume_role_policy_document" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
effect = "Allow"
condition {
test = "StringLike"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:YOUR-ORG/YOUR-REPO:*"]
}
condition {
test = "ForAllValues:StringEquals"
variable = "token.actions.githubusercontent.com:iss"
values = ["https://token.actions.githubusercontent.com"]
}
condition {
test = "ForAllValues:StringEquals"
variable = "token.actions.githubusercontent.com:aud"
values = ["sts.amazonaws.com"]
}
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.default.arn]
}
}
}
Configuring GitHub Actions with Short-Term Credentials
Now, let’s configure GitHub Actions to obtain short-term AWS credentials using the aws-actions/configure-aws-credentials@v2 GitHub Action.
jobs:
github-auth:
name: Test aws-actions/configure-aws-credentials@v2
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: <IAM Role ARN>
aws-region: <AWS Region>
- run: aws sts get-caller-identity
You can find the documentation, use cases and source code related to the previous Github Action here: aws-actions/configure-aws-credentials.
Conclusion
By adopting short-term AWS credentials in your CI pipeline, you enhance the security of your AWS resources. Leveraging AWS IAM OpenID Connect, defining an IAM policy for assuming roles, and configuring GitHub Actions with short-term credentials, you significantly reduce the risk of credential exposure and unauthorized access.