- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
When using GitLab CI/CD to assume an IAM role, it is recommended to use identity federation to avoid using hardcoded, long-lived credentials.
However, in some cases the trust policy of the role may be misconfigured and allow any untrusted GitLab runner to assume the IAM role.
If the role trust policy does not have a properly configured condition, any untrusted GitLab runner from any repository (including outside your organization) can assume the role and retrieve credentials to your AWS account.
Ensure that the IAM role has a condition on the gitlab.com:sub
condition key, for instance:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456123456:oidc-provider/gitlab.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"gitlab.example.com:sub": "project_path:mygroup/myproject:ref_type:branch:ref:main"
}
}
}
]
}
Using update-assume-role-policy
, update the role trust policy to remediate the risk.
aws iam update-assume-role-policy
--role-name Test-Role
--policy-document file://<NEW_ROLE_POLICY>.json