Allow the use of custom claims like job_workflow_ref
issued by GHA while assuming IAM role
#912
Labels
closed-for-staleness
feature-request
A feature should be added or improved.
response-requested
Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days.
Describe the feature
Whenever we're assuming an IAM role through this action, we are not able to use all the custom claims provided by GitHub in its OIDC token.
For example:
job_workflow_ref
is a part of the following GitHub OIDC token, but we cannot refer tojob_workflow_ref
in the trust policy of an IAM role as the OIDC request to IAM doesn't contain that custom claim:I try to assume the role like:
And I want to assume the role when the trust policy looks like (or something along these lines):
Use Case
There are wild workarounds like this that are built to resolve this issue, but would be ideal to have a simple solution built for it. It would be awesome to query by different custom claims in the trust policy of the roles to make the role assumption more fine-grained.
One typical use case:
main
branch version of the reusable workflow. The way we can enforce this is by checking thejob_workflow_ref
keyword while assuming the privileged role.Proposed Solution
No response
Other Information
No response
Acknowledgements
The text was updated successfully, but these errors were encountered: