Feature request: inline session policies for assuming role

[spyoungtech]

Request

It would be great if this action could support session policies (the Policy parameter for AssumeRole operation) for assumed roles.

Problem being solved

Inline policies help IAM users apply permission boundaries to roles being assumed. This may help prevent accidents in a job or otherwise limit the scope in which the assumed role can be used thus improving security posture.

Use cases

Limiting permissions of a role based on action being taken

For example, a role may be specified as an organization secret with access to update many CloudFormation stacks. An inline policy might be used to reduce the permissions to a subset of resources, such as denying access to RDS resources or denying access when tags do not match expected tags for the project.

An example inline policy denying CloudFormation actions to resources with unexpected tags:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Deny",
         "Action":"CloudFormation:*",
         "Resource":"*",
         "Condition": {"StringNotLikeIfExists": {"aws:ResourceTag/CUSTOM_TAG": "my-tag-value"}}
      }
   ]
}

Limiting source IP for assumed role dynamically

One might use a session policy to ensure the temporary credentials generated by this action are limited to the source IP address of the GitHub action runner. Thus, if the temporary credentials are exfiltrated, they won't be (as) useful to an attacker.

For example, an inline policy may be generated dynamically by resolving the public IP of the GitHub runner, only allowing AWS actions to be taken from the current IP address (could be used with haythem/public-ip action)

Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html

Proposed usage

Usage might look like this:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - name Configure Inline Policy
      id: inline-policy
      uses: FICTIONAL_EXAMPLE@example
      with:
        some-param: value
      # outputs JSON policy string as `.policy`


    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
        aws-region: us-east-2
        role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
        assume-role-policy:  ${{ steps.inline-policy.outputs.policy }}

[allisaurus]

Thanks for the feature request @spyoungtech ! I agree this sounds like it would be a great addition

[github-actions]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[dimitar-hristov]

Hello 👋 #739 is my attempt at implementing this feature request. Any feedback is welcome and will be useful! 🙂

[peterwoodworth]

Fixed by #739, this is now included on v2.2.0, and as such v2. Thanks @dimitar-hristov for your contribution!

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.