我正在尝试运行一个GitHub操作,以便在暂存服务器上的AWS上进行DB迁移。
name: db migration for stg.
on:
push:
branches:
- staging
paths:
- api/db/migrate/**
jobs:
migration:
name: DB Migration
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_STG }}
role-duration-seconds: 1200
aws-region: ap-northeast-1
- uses: ruby/setup-ruby@v1
with:
ruby-version: '2.7.2'
- name: ssh configure
env:
SSH_SECRET_KEY: ${{ secrets.SSH_SECRET_KEY }}
run: |
mkdir -p ~/.ssh && touch ~/.ssh/config
echo 'host i-* mi-*' >> ~/.ssh/config
echo ' ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"' >> ~/.ssh/config
echo $SSH_SECRET_KEY | base64 -d > ~/.ssh/id_rsa2
chmod 0600 ~/.ssh/id_rsa2
- name: db migration
env:
RAILS_ENV: <env>
RAILS_MASTER_KEY: <key>
RDS_HOSTNAME: 127.0.0.1
RDS_DB_NAME: <db_name>
RDS_USERNAME: <username>
RDS_PASSWORD: <password>
RDS_PORT: 9999
STEP_SERVER_ID: <id>
DB_HOST: <host>
working-directory: ./api
run: |
ssh -f -N -L $RDS_PORT:$DB_HOST:3306 -i ~/.ssh/id_rsa2 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ssm-user@$STEP_SERVER_ID
sudo apt-get -yqq install libpq-dev
gem install bundler
bundle install --jobs 4 --retry 3
bundle exec rails db:migrate
运行此操作时出现此错误的原因可能是什么?尝试了许多步骤来缩小问题的原因,无论是由assumable_role还是秘密值错误或信任关系等引起的。可以提出可能导致这种情况的原因吗?
Run aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ***
aws-secret-access-key: ***
role-to-assume: ***
role-duration-seconds: 1200
aws-region: ap-northeast-1
Error: User: arn:aws:iam::***:user/github_user is not authorized to perform: sts:TagSession on resource: ***
github_user的政策摘要
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:*",
"Resource": "*"
}
]
}
我想明白了
答案在文档中非常微妙,但您必须授予用户sts:TagSession的权限,然后将该权限添加到您所承担角色的权限策略中。
IAM用户政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": [
"arn:aws:iam::11111111111:role/RoleToAssume",
]
}
]
}
正在承担的角色的信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00000000000:user/UserFromAbove"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
添加到Chris显然有助于解决这个问题:
-
使用
OIDC创建角色时。它有一个trust relationship。这意味着必须将一些Github Actions添加为principle,并且它将假定该角色以及该角色所具有的任何权限将应用于联合OIDC标识Federated": "arn:aws:iam::636521895949:oidc-provider/token.actions.githubusercontent.com"(在本例中为Github Actions(。 -
此外,用户必须在那里使用
AWS STS提供短命令牌,因此GitHub操作可以扮演这个角色。所以,Principal": {"AWS": "arn:aws:iam::636527382793:user/<UserName>"应该有"Action": "sts:AssumeRole"。 -
这意味着角色上的信任关系可能如下所示,因为不允许将操作放入列表中
Action": ["sts:AssumeRole", "sts:TagSession"]:让我们将此角色称为s3RoleForGitHubActions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::6363891738271:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:github.com/GitHubProfile/GithubRepo/*"
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::6365738978321:user/UserName"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::6365738978321:user/UserName"
},
"Action": "sts:TagSession"
}
]
}
最后,我们需要为IAM User提供一个策略,使其能够承担我们创建的角色,因此IAM用户策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": [
"arn:aws:iam::63738127982:role/s3RoleForGitHubActions"
]
}
]
}
我有以下用例。
- IAM用户试图使用以下GHA使用外部ID扮演角色
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
role-duration-seconds: 1200
role-session-name: GithubBuildAndPushImageToECR
role-skip-session-tagging: true
我所要做的就是添加role-skip-session-tagging: true
以上答案仅在您通过OIDC WedIdentiy担任角色时有效https://github.com/aws-actions/configure-aws-credentials#session-标记
希望这能拯救一些人,我没那么幸运:-p
如果您使用CDK并自己维护用户(轮换凭据等(,则可以使用以下片段在可信实体上创建带有会话标记的用户和角色:
import * as iam from 'aws-cdk-lib/aws-iam';
// The user that will be creating credentials
const someUser = new iam.User(this, 'SomeUser');
// Role that will be assumed by the user
const someRole = new iam.Role(this, 'SomeRole', {
assumedBy: new iam.ArnPrincipal(someUser.userArn).withSessionTags(),
});
我遇到了同样的问题,我通过向我的gh操作管道添加读取Github本身的id令牌的权限来解决了这个问题,这就是oidc在我的情况下工作的原因。
对于@Ragnar921 共享的案例
on:
push:
branches:
- staging
paths:
- api/db/migrate/**
jobs:
migration:
name: DB Migration
runs-on: ubuntu-latest
### add it ########
permissions:
id-token: write
contents: read
###################
steps:
- uses: actions/checkout@v2
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_STG }}
role-duration-seconds: 1200
aws-region: ap-northeast-1
- uses: ruby/setup-ruby@v1
with:
ruby-version: '2.7.2'
- name: ssh configure
env:
SSH_SECRET_KEY: ${{ secrets.SSH_SECRET_KEY }}
run: |
mkdir -p ~/.ssh && touch ~/.ssh/config
echo 'host i-* mi-*' >> ~/.ssh/config
echo ' ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"' >> ~/.ssh/config
echo $SSH_SECRET_KEY | base64 -d > ~/.ssh/id_rsa2
chmod 0600 ~/.ssh/id_rsa2
- name: db migration
env:
RAILS_ENV: <env>
RAILS_MASTER_KEY: <key>
RDS_HOSTNAME: 127.0.0.1
RDS_DB_NAME: <db_name>
RDS_USERNAME: <username>
RDS_PASSWORD: <password>
RDS_PORT: 9999
STEP_SERVER_ID: <id>
DB_HOST: <host>
working-directory: ./api
run: |
ssh -f -N -L $RDS_PORT:$DB_HOST:3306 -i ~/.ssh/id_rsa2 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ssm-user@$STEP_SERVER_ID
sudo apt-get -yqq install libpq-dev
gem install bundler
bundle install --jobs 4 --retry 3
bundle exec rails db:migrate
不需要在gh runner自己承担的角色上添加任何额外的信任关系,只需要OIDC要求的关系,如:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::XXXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": [
"repo:XXXXXXX/YYYYYYYYY:pull_request",
"repo:XXXXXXX/YYYYYYYYY:ref:refs/heads/*"
]
}
}
}
]
}