IAM roles should not allow untrusted GitLab runners to assume them

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

When using GitLab CI/CD to assume an IAM role, it is recommended to use identity federation to avoid using hardcoded, long-lived credentials.

However, in some cases the trust policy of the role may be misconfigured and allow any untrusted GitLab runner to assume the IAM role.

Rationale

If the role trust policy does not have a properly configured condition, any untrusted GitLab runner from any repository (including outside your organization) can assume the role and retrieve credentials to your AWS account.

Remediation

Ensure that the IAM role has a condition on the gitlab.com:sub condition key, for instance:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Principal": {
          "Federated": "arn:aws:iam::123456123456:oidc-provider/gitlab.com"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
          "StringEquals": {
            "gitlab.example.com:sub": "project_path:mygroup/myproject:ref_type:branch:ref:main"
          }
        }
    }
  ]
}

From the console

  1. In the AWS Console, navigate to the IAM role you would like to change.
  2. On the IAM role page, click the Trust relationships tab.
  3. Click Edit trust policy.
  4. Make changes to the trust policy, as shown in the previous section.
  5. Click Update policy.

From the command line

Using update-assume-role-policy, update the role trust policy to remediate the risk.

aws iam update-assume-role-policy
   --role-name Test-Role
   --policy-document file://<NEW_ROLE_POLICY>.json