Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC fails for pull request from fork #373

Closed
martinschaef opened this issue Feb 2, 2022 · 5 comments
Closed

OIDC fails for pull request from fork #373

martinschaef opened this issue Feb 2, 2022 · 5 comments

Comments

@martinschaef
Copy link

I have a pull request from a fork:
aws-samples/amazon-codeguru-samples#10
both the fork and the original repo are allow-listed in my role:

    - name: Assume IAM Role
      continue-on-error: true
      uses: aws-actions/configure-aws-credentials@v1
      id: iam-role
      with:
        role-to-assume: arn:aws:iam::048169001733:role/GuruGitHubCICDRole
        aws-region: us-west-2

when I trigger only on pull_request, the action fails to get credentials:
https://github.com/aws-samples/amazon-codeguru-samples/runs/5030685457?check_suite_focus=true

However, when I trigger on push it works:
https://github.com/martinschaef/amazon-codeguru-samples/runs/5030736213?check_suite_focus=true

Any idea how to fix that? This makes it hard to use pull-request triggers with code guru
@martinschaef
Copy link
Author

I did a diff on the Env of the container between a successful run where I do the diff within the same repo (here) and a failed run where I did the pull request between forks (here), and what stands out is that the successful one has this environment variable set:

ACTIONS_ID_TOKEN_REQUEST_URL=https://pipelines.actions.githubusercontent.com/8gSNdP7bngsu7R8ZtlyKycT9Z5JyrhA4xZ3yEWzgklfyiLdEHy/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/f109fc7a-1b6c-4897-8b4b-56a92ebe0544/jobs/c6e63bc3-5e65-523d-429d-d69eea406c8a/idtoken?api-version=2.0

but the failed attempt does not set it.

@martinschaef
Copy link
Author

Oh ... so it looks like you need the id-token: write permission to set this variable and the maximum level for that permission across forks is read according to the GitHub documentation:
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
So you basically can't use this way of authenticating for Pull Requests.

@martinschaef
Copy link
Author

Would it be possible to fail with a different error message?

@cm-rwakatsuki
Copy link

For your reference
https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks

@martinschaef
Copy link
Author

Thanks! This is super useful!

@martinschaef martinschaef mentioned this issue Apr 22, 2022
Open
@kellertk kellertk mentioned this issue May 17, 2022
Closed
@surajkota surajkota mentioned this issue Sep 14, 2022
Merged
surajkota added a commit to awslabs/kubeflow-manifests that referenced this issue Sep 14, 2022
@surajkota
Add Github workflow for terraform Cognito and filter website build br…
46745bf 
…anch (#362)

**Description of your changes:**
- Adds a Github action to test the cognito terraform module as well. We
hope to use a test driver approach for all terraform code moving forward
because we have multiplied our test matrix*3.
- The IAM role is configured to only be able to assume role only from
within the Github action from this repository
- Filter branches for website build. Everytime someone creates a branch
in this repo it pushes website to gh-pages branch see istio and knative
folders for example.

PR test cannot be configured to run on pull request from fork for 2
limitations related to security:
1. OIDC cannot be accessed in forks:
aws-actions/configure-aws-credentials#373
1. Secrets are also not passed to actions triggered from forks. We are
not really storing secrets but using it to just for abstraction
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
> Note: Workflow runs triggered by Dependabot pull requests run as if
they are from a forked repository, and therefore use a read-only
GITHUB_TOKEN. These workflow runs cannot access any secrets. See
["Keeping your GitHub Actions and workflows secure: Preventing pwn
requests"](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)
for strategies to keep these workflows secure.
 
Will merge #357 after this

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
@omus omus mentioned this issue Jun 7, 2023
Open
@axisofentropy axisofentropy mentioned this issue Nov 22, 2023
Open
@tim-finnigan tim-finnigan mentioned this issue Nov 29, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@martinschaef @cm-rwakatsuki