Skip to content

Commit c87bb0d

Browse files
br3ndonlandbr3ndonland
committed
Organize GitHub Actions OIDC IAM policy Sids
Divide policy Sids (statement IDs) into list, read, and write actions as classified in the service authorization reference. https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html
1 parent a48a077 commit c87bb0d

File tree

1 file changed

+67
-54
lines changed

1 file changed

+67
-54
lines changed

README.md

Lines changed: 67 additions & 54 deletions
Original file line numberDiff line numberDiff line change
@@ -14,106 +14,119 @@ In addition to this module, see other implementations from [Cloud Posse](https:/
1414

1515
Authentication is required for the AWS provider so that OpenTofu can apply configurations. The [IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) recommend granting least privilege.
1616

17-
<details><summary>Here are the minimum required permissions for running this module <em>(expand)</em>. Adjust the resource names as needed.</summary>
17+
<details><summary>Here are the minimum required permissions for running this module <em>(expand)</em>. Adjust the resource names as needed. Policy Sids (statement IDs) are organized by access level based on the <a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html">Service Authorization Reference</a>.</summary>
1818

1919
```json
2020
{
2121
"Version": "2012-10-17",
2222
"Statement": [
2323
{
24-
"Sid": "IAMOIDCProviderProvisioningActions",
25-
"Effect": "Allow",
2624
"Action": [
27-
"iam:AddClientIDToOpenIDConnectProvider",
28-
"iam:CreateOpenIDConnectProvider",
29-
"iam:TagOpenIDConnectProvider",
30-
"iam:UpdateOpenIDConnectProviderThumbprint"
25+
"iam:ListOpenIDConnectProviders",
26+
"iam:ListOpenIDConnectProviderTags"
3127
],
32-
"Resource": [
33-
"arn:aws:iam::*:oidc-provider/token.actions.githubusercontent.com"
34-
]
28+
"Effect": "Allow",
29+
"Resource": ["*"],
30+
"Sid": "IAMOIDCProviderListActions"
3531
},
3632
{
37-
"Sid": "IAMOIDCProviderReadActions",
33+
"Action": ["iam:GetOpenIDConnectProvider"],
3834
"Effect": "Allow",
35+
"Resource": ["*"],
36+
"Sid": "IAMOIDCProviderReadActions"
37+
},
38+
{
3939
"Action": [
40-
"iam:GetOpenIDConnectProvider",
41-
"iam:ListOpenIDConnectProviders",
42-
"iam:ListOpenIDConnectProviderTags"
40+
"iam:TagOpenIDConnectProvider",
41+
"iam:UntagOpenIDConnectProvider"
4342
],
44-
"Resource": ["*"]
43+
"Effect": "Allow",
44+
"Resource": [
45+
"arn:aws:iam::*:oidc-provider/token.actions.githubusercontent.com"
46+
],
47+
"Sid": "IAMOIDCProviderTaggingActions"
4548
},
4649
{
47-
"Sid": "IAMOIDCProviderCleanupActions",
48-
"Effect": "Allow",
4950
"Action": [
51+
"iam:AddClientIDToOpenIDConnectProvider",
52+
"iam:CreateOpenIDConnectProvider",
5053
"iam:DeleteOpenIDConnectProvider",
5154
"iam:RemoveClientIDFromOpenIDConnectProvider",
52-
"iam:UntagOpenIDConnectProvider"
55+
"iam:UpdateOpenIDConnectProviderThumbprint"
5356
],
57+
"Effect": "Allow",
5458
"Resource": [
5559
"arn:aws:iam::*:oidc-provider/token.actions.githubusercontent.com"
56-
]
60+
],
61+
"Sid": "IAMOIDCProviderWriteActions"
5762
},
5863
{
59-
"Sid": "IAMRoleProvisioningActions",
60-
"Effect": "Allow",
6164
"Action": [
62-
"iam:AttachRolePolicy",
63-
"iam:CreateRole",
64-
"iam:PutRolePolicy",
65-
"iam:UpdateRole",
66-
"iam:UpdateRoleDescription",
67-
"iam:UpdateAssumeRolePolicy"
65+
"iam:ListEntitiesForPolicy",
66+
"iam:ListPolicies",
67+
"iam:ListPolicyVersions",
68+
"iam:ListUserPolicies"
6869
],
69-
"Resource": ["arn:aws:iam::*:role/github*"]
70+
"Effect": "Allow",
71+
"Resource": ["*"],
72+
"Sid": "IAMPolicyListActions"
73+
},
74+
{
75+
"Action": ["iam:GetPolicy", "iam:GetPolicyVersion"],
76+
"Effect": "Allow",
77+
"Resource": ["*"],
78+
"Sid": "IAMPolicyReadActions"
7079
},
7180
{
72-
"Sid": "IAMRoleReadActions",
81+
"Action": [
82+
"iam:CreatePolicy",
83+
"iam:CreatePolicyVersion",
84+
"iam:DeletePolicy",
85+
"iam:DeletePolicyVersion"
86+
],
7387
"Effect": "Allow",
88+
"Resource": ["arn:aws:iam::*:policy/github*"],
89+
"Sid": "IAMPolicyPermissionsManagementActions"
90+
},
91+
{
7492
"Action": [
75-
"iam:GetRole",
7693
"iam:ListAttachedRolePolicies",
7794
"iam:ListInstanceProfilesForRole",
7895
"iam:ListRolePolicies",
7996
"iam:ListRoles"
8097
],
81-
"Resource": ["*"]
98+
"Effect": "Allow",
99+
"Resource": ["*"],
100+
"Sid": "IAMRoleListActions"
82101
},
83102
{
84-
"Sid": "IAMRoleCleanupActions",
103+
"Action": ["iam:GetRole", "iam:GetRolePolicy"],
85104
"Effect": "Allow",
105+
"Resource": ["*"],
106+
"Sid": "IAMRoleReadActions"
107+
},
108+
{
86109
"Action": [
87-
"iam:DeleteRole",
110+
"iam:AttachRolePolicy",
88111
"iam:DeleteRolePolicy",
89-
"iam:DetachRolePolicy"
112+
"iam:DetachRolePolicy",
113+
"iam:PutRolePolicy",
114+
"iam:UpdateAssumeRolePolicy"
90115
],
91-
"Resource": ["arn:aws:iam::*:role/github*"]
92-
},
93-
{
94-
"Sid": "IAMPolicyProvisioningActions",
95116
"Effect": "Allow",
96-
"Action": ["iam:CreatePolicy", "iam:CreatePolicyVersion"],
97-
"Resource": ["arn:aws:iam::*:policy/github*"]
117+
"Resource": ["arn:aws:iam::*:role/github*"],
118+
"Sid": "IAMRolePermissionsManagementActions"
98119
},
99120
{
100-
"Sid": "IAMPolicyReadActions",
101-
"Effect": "Allow",
102121
"Action": [
103-
"iam:GetPolicy",
104-
"iam:GetPolicyVersion",
105-
"iam:ListEntitiesForPolicy",
106-
"iam:ListPolicies",
107-
"iam:ListPolicyVersions",
108-
"iam:ListUserPolicies"
122+
"iam:CreateRole",
123+
"iam:DeleteRole",
124+
"iam:UpdateRole",
125+
"iam:UpdateRoleDescription"
109126
],
110-
"Resource": ["*"]
111-
},
112-
{
113-
"Sid": "IAMPolicyCleanupActions",
127+
"Resource": ["arn:aws:iam::*:role/github*"],
114128
"Effect": "Allow",
115-
"Action": ["iam:DeletePolicy", "iam:DeletePolicyVersion"],
116-
"Resource": ["arn:aws:iam::*:policy/github*"]
129+
"Sid": "IAMRoleWriteActions"
117130
}
118131
]
119132
}

0 commit comments

Comments
 (0)