Fix 'Incorrect token audience' error for GH OIDC

This is an update to the construct that creates IAM resources for GitHub Actions, first introduced with #823 in early October 2021. Apparently the `ClientIdList` field should no longer be `sigstore`, as of 19th October 2021: aws-actions/configure-aws-credentials#291 aws-actions/configure-aws-credentials#280 (comment) aws-actions/configure-aws-credentials#284 The new value is `sts.amazonaws.com`, which I think corresponds to this line in the docs: > For the "Audience": Use sts.amazonaws.com if you are using the official action. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws With the old value of `sigstore` in the `AWS::IAM::OIDCProvider` `ClientIdList` field, running the `aws-actions/configure-aws-credentials` GitHub Action will give you a "Error: Incorrect token audience" error: https://github.com/guardian/facia-scala-client/runs/7025740057?check_suite_focus=true#step:3:6
guardian · Jun 23, 2022 · 10db93b · 10db93b
1 parent 09e5db0
commit 10db93b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/constructs/iam/roles/github-actions.ts b/src/constructs/iam/roles/github-actions.ts
@@ -63,7 +63,7 @@ class GitHubOidcProvider extends CfnResource {
       type: "AWS::IAM::OIDCProvider",
       properties: {
         Url: `https://${GITHUB_ACTIONS_ID_TOKEN_REQUEST_DOMAIN}`,
-        ClientIdList: ["sigstore"],
+        ClientIdList: ["sts.amazonaws.com"],
         ThumbprintList: [GITHUB_ACTIONS_ID_TOKEN_REQUEST_DOMAIN_THUMBPRINT],
       },
     });