Skip to content

Commit

Permalink
add docs for cognito identity token (#1805)
Browse files Browse the repository at this point in the history
  • Loading branch information
motatoes authored Nov 11, 2024
1 parent 90aa7b8 commit 9a40639
Showing 1 changed file with 26 additions and 9 deletions.
35 changes: 26 additions & 9 deletions docs/ce/howto/project-level-roles.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -20,22 +20,15 @@ projects:
aws_role_to_assume:
state: "arn:/blabla/accid/backenddev"
command: "arn:/blabla/accid/devaccount"
aws_role_region: us-east-1
- name: prod
dir: ./prod
aws_role_to_assume:
state: "arn:/blabla/accid/backendprod"
command: "arn:/blabla/accid/prodaccount"
aws_role_region: us-east-1
```

Using a workflow file as usual. Here is an [example repository](https://github.com/diggerhq/demo-assume-role-multi-account-aws_diggeryml) using digger.yml to assume different roles for different projects.

<Note>
NOTE: for locking to be configured user needs to also pass aws-role-to-assume in the workflow file as a
parameter within the workflow file. This role needs to have ability to assume all the other roles and also have access to a common account where the locks are to live.

If you are not using a aws-role-to-assume setting it workflow you **must** add ```AwsRoleRegion``` property to project level ```aws_role_to_assume```
</Note>

You can also use project-level assume role with [generated projects](/ce/howto/generate-projects):

```
Expand All @@ -48,3 +41,27 @@ generate_projects:
command: "arn:/blabla/accid/devaccount"
```

# Assume role with cognito identity

The github action JWT token includes alot of useful fields such as `ref`, `sha`, `runner_environment` etc. however it is
challenging to write an AWS trust policy to match for these fields since only `aud` and `sub` fields are supported. Using cognito
identity it is possible to remap the fields into principal tags which allows them to be matched in the trust policy. More information
about this is in this article: https://catnekaise.github.io/github-actions-abac-aws/cognito-identity/.

If you wish to perform this mapping in digger you can specify an additional aws_cognito_oidc configuration as follows:

```
- name: "my-secure-digger-project"
dir: "prod"
workflow: default
workflow_file: digger_workflow.yml
aws_role_to_assume:
aws_role_region: "us-west-2"
command: "arn:aws:iam::00000000000:role/github-action-deployment-role"
aws_cognito_oidc:
cognito_identity_pool_id: "us-east-1:00000000-0000-0000-0000-000000000000"
aws_region: "us-east-1"
aws_account_id: "000000000000"
```

Once this is specified you will be able to match values in additional configuration as highlighted in the url above.

0 comments on commit 9a40639

Please sign in to comment.