Identity Providers

Overview of Identity Providers and how to attack.

OpenID Connect (OIDC)

OIDC is a secure way to connect 3rd party services like GitLab to AWS but if the Trust Policy is left in a default or otherwise insecure state, it's possible to exploit this and gain access to resources.

aws iam get-role --role-name gitlab | jq -r '.Role.AssumeRolePolicyDocument'

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789012:oidc-provider/gitlab.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "gitlab.com:aud": "https://gitlab.com"
        }
      }
    }
  ]
}

With this set up, any GitLab account can authenticate to AWS provided the AWS Account ID and IAM Role name is known.
This can be resolved by including additional conditions in the IAM Trust Policy.
I wrote a more detailed blog post on this below

Abusing Identity Providers in AWSPwned Labs

PreviousIAM - Privilege Escalation NextKMS

Last updated 1 month ago