Tweak AWS OIDC instructions (#11621)

* Tweak AWS OIDC instructions * Only contents: read is necessary * Remove :aud filter because it's set to "sts.amazonaws.com" when using aws-actions/configure-aws-credentials * Update to be valid JSON, and actually remove :aud Co-authored-by: hubwriter <hubwriter@github.com>
github · Nov 30, 2021 · ba382b2 · ba382b2
1 parent bb1a75b
commit ba382b2
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/...hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/...hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
@@ -38,12 +38,11 @@ To add the {% data variables.product.prodname_dotcom %} OIDC provider to IAM, se
 
 To configure the role and trust in IAM, see the AWS documentation for ["Assuming a Role"](https://github.com/aws-actions/configure-aws-credentials#assuming-a-role) and ["Creating a role for web identity or OpenID connect federation"](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html).
 
-By default, the validation only includes the audience (`aud`) condition, so you must manually add a subject (`sub`) condition. Edit the trust relationship to add the `sub` field to the validation conditions. For example:
+Edit the trust relationship to add the `sub` field to the validation conditions. For example:
 
 ```json{:copy}
 "Condition": {
   "StringEquals": {
-    "token.actions.githubusercontent.com:aud": "https://github.com/octo-org",
     "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
   }
 }
@@ -86,7 +85,7 @@ env:
 # permission can be added at job level or workflow level    
 permissions:
       id-token: write
-      contents: write    # This is required for actions/checkout@v1
+      contents: read    # This is required for actions/checkout@v1
 jobs:
   S3PackageUpload:
     runs-on: ubuntu-latest