from Hacker News

Show HN: Stop Putting AWS Credentials in GitHub Secrets

by cnuss on 1/18/22, 7:50 PM with 29 comments

Greetings!

I've created a GitHub action that works that allows GitHub Actions to exchange a GitHub token for AWS Access Credentials.

I've cultivated a few examples of it in action:

https://github.com/saml-to/aws-assume-role-action-examples

I've always found management of AWS Credentials has been a pain. So this setting up this Action works like this:

1) A SAML Identity Provider is created in AWS

2) A Role in AWS is set up to trust that Identity Provider

3) A config file is added to the repository indicating which role can be assumed

4) The GitHub Action exchanges the Repo Secret for AWS Credentials using the SAML.to backend for the exchange

Let me know what you think! I'm Happy to take questions and comments here or on Gitter:

https://gitter.im/saml-to/assume-aws-role-action

by SahAssar on 1/18/22, 9:25 PM
The title "Show HN: Stop Putting AWS Credentials in GitHub Secrets" to me sounds like it's exposing some sort of specific vulunerability or similar but I might just be overreacting because of all the recent hacks.
A title like "Show HN: A GitHub action to help using AWS credentials" sounds more appropriate to me, saying what it is and what it does instead of saying what not to do.
by orf on 1/18/22, 8:57 PM
Isn't it just this? https://awsteele.com/blog/2021/09/15/aws-federation-comes-to... (https://github.com/github/roadmap/issues/249)
Why does SAML.to need to be used?
by mdaniel on 1/18/22, 9:58 PM
Some observations:
* it seems your package.json is still from an old iteration: https://github.com/saml-to/assume-aws-role-action/blob/main/...
* it was super opaque where this relative import comes from: https://github.com/saml-to/assume-aws-role-action/blob/main/... but after some sniffing around, it seems to be some openapi generation magick https://github.com/saml-to/assume-aws-role-action/blob/main/... against one of your own API endpoints https://github.com/saml-to/assume-aws-role-action/blob/main/... which seems to mean that using this toy is not "self contained" in the way that `sts:AssumeRoleWithWebIdentity` is
by sirwinsley on 1/19/22, 12:46 PM
I remember receiving a bill for 5K from Amazon once. When inspecting I realized that someone had found my keys in a public GitHub repo I had and was using my account to mine bitcoins. Thankfully AWS support was understanding and forgave me that amount.
Other than never exposing keys like that I learned to never hide admin keys and to always create roles specific to the use case. It doesn’t fully protect you but at least it prevents abuse on your behalf.
by johnnypangs on 1/18/22, 8:44 PM
Does anyone know the differences between saml and open id connect? https://docs.github.com/en/enterprise-cloud@latest/actions/d...
by zomglings on 1/18/22, 9:11 PM
What is wrong with putting AWS credentials in GitHub secrets?
by TheSpiciestDev on 1/19/22, 1:16 AM
But then what would happen if the GitHub token leaks? Would someone then be able to retrieve their own credentials as if they were your CI/CD pipeline? I feel like it be hard to audit that because a baddie would then be able to blend in with your CI/CD pipeline's traffic.
But you say you find "management of AWS Credentials a pain", so I guess this isn't for security purposes, right? More of just a convenience?
Don't get me wrong, I'm all about lessening the amount of environment variables in a pipeline!.. especially with ones that you want to rotate!
by nodesocket on 1/18/22, 9:21 PM
Complexity, the enemy of security. Why is using GitHub secrets insecure exactly?
by zricethezav on 1/18/22, 8:52 PM
Speaking of credentials, you can use https://github.com/zricethezav/gitleaks to check if your repos contain any secrets