I am trying to allow access to an AWS service for Github Actions in multiple repositories via OIDC. Here is the current policy that works with 1 repository:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<id>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:username/myrepo:*"
}
}
}
]
}
My question is, how can we allow this policy for multiple repositories? Duplicating "token.actions.githubusercontent.com:sub": "repo:username/myrepo:*"
does not seem to work, the console editor shows an error.
To be able to use multiple possible values for same key, you need to use arrays:
"StringLike": {
"token.actions.githubusercontent.com:sub": [
"repo:username/myrepo1:*",
"repo:username/myrepo2:*"
]
}
With multiple values for the same context key, AWS is evaluating that with OR, so this would allow access from myrepo1
and myrepo2