---
title: IAM roles should not allow untrusted GitHub Actions to assume them
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > IAM roles should not allow untrusted
  GitHub Actions to assume them
---

# IAM roles should not allow untrusted GitHub Actions to assume them
 
## Description{% #description %}

When a GitHub Action needs to assume an IAM role, it is recommended to use [identity federation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) to avoid using hardcoded, long-lived credentials.

However, in some cases the trust policy of the role may be misconfigured and allow any untrusted GitHub Action to assume the IAM role.

## Rationale{% #rationale %}

If the role trust policy does not have a properly configured condition, any untrusted GitHub Action from any repository (including outside your organization) can assume the role and retrieve credentials to your AWS account.

## Remediation{% #remediation %}

Ensure that the IAM role has a condition on the `token.actions.githubusercontent.com:sub` condition key, for instance:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Principal": {
          "Federated": "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
          "StringEquals": {
            "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
          },
          "StringLike": {
            "token.actions.githubusercontent.com:sub": "repo:your-organization/your-repository:*"
          }
        }
    }
  ]
}
```

See "[Configuring the role trust policy](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy)" and "[Example subject claims](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims)" in the GitHub documentation for more examples.

### From the console{% #from-the-console %}

1. In the AWS Console, navigate to the IAM role you would like to change.
1. On the IAM role page, click the **Trust relationships** tab.
1. Click **Edit trust policy**.
1. Make changes to the trust policy, as shown in the previous section.
1. Click **Update policy**.

### From the command line{% #from-the-command-line %}

Using `update-assume-role-policy`, [update the role trust policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-assume-role-policy.html) to remediate the risk.

```
aws iam update-assume-role-policy
   --role-name Test-Role
   --policy-document file://<NEW_ROLE_POLICY>.json
```