Trust policy example in Setting up OIDC for AWS should reference docs on OIDC subjects in claims #28292
Closed
1 task done
Labels
content
This issue or pull request belongs to the Docs Content team
Comments
|
Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines. |
|
@therealvio thank you for opening an issue and submitting a PR! |
2 tasks
|
Closing this per comment here. It was fixed internally |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
What changes are you suggesting?
In the first example for this section of the doc, the trust policy scopes the access to a particular branch for a repository using
refas a subject.However, this example doesn't make note of a pitfall where if a job references a Deployment Environment then the policy won't allow Github Actions to assume the role. In my case, I had a deploy script reference a
productionenvironment. So I needed to set the policy use toenvironmentas a claim, as depicted here.This is something that was tricky to figure out until I ran into the claims doc above.
Additional information
I raised a draft PR for this, though unfortunately this area of the documentation is restricted. Though I thought I'd leave it so it can be copied over and extended.
The text was updated successfully, but these errors were encountered: