Identifying vulnerabilities in GitHub Actions & AWS OIDC Configurations

<p>In 2021, GitHub released support for OpenID Connect (OIDC) for GitHub Actions (GHA), allowing developers to securely interact with their infrastructure resources in Amazon Web Services (AWS), and other major cloud service providers. The OIDC support allows GHA jobs to retrieve short-lived session tokens on-demand rather than using the private key and credential files as secrets. At Tinder Security Labs, we identified that certain configurations when setting up OIDC with GHA could result in vulnerabilities allowing external attackers to get access to vulnerable organizations&rsquo; cloud infrastructure. In addition, we have written and published a black-box assessment tool that monitors and flags when vulnerable configurations are noticed for AWS environments. Through this blog, we will share examples of vulnerable configuration, case-studies with external organizations, mitigation examples, and abuse identification techniques.</p> <h1>Inner workings of AWS OIDC + GitHub</h1> <p>One of the cloud providers that supports using OpenID Connect with GHA is AWS. In order to configure OIDC in AWS, two things are needed: an IAM role and an Identity provider that can be linked to the IAM role. From GitHub end, no configuration is needed and the setup is done in the GHA workflow.</p> <p><a href="https://medium.com/tinder/identifying-vulnerabilities-in-github-actions-aws-oidc-configurations-8067c400d5b8"><strong>Website</strong></a></p>