amazon-web-servicesopenid-connectidentity-managementaws-policies

AWS OIDC policy for multiple repositories?


I am trying to allow access to an AWS service for Github Actions in multiple repositories via OIDC. Here is the current policy that works with 1 repository:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<id>:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:username/myrepo:*"
                }
            }
        }
    ]
}

My question is, how can we allow this policy for multiple repositories? Duplicating "token.actions.githubusercontent.com:sub": "repo:username/myrepo:*" does not seem to work, the console editor shows an error.


Solution

  • To be able to use multiple possible values for same key, you need to use arrays:

    "StringLike": {
        "token.actions.githubusercontent.com:sub": [
            "repo:username/myrepo1:*",
            "repo:username/myrepo2:*"
            ]
        }
    

    With multiple values for the same context key, AWS is evaluating that with OR, so this would allow access from myrepo1 and myrepo2