No Conditions Workload Identity Pool Provider | Vulnerability Database

A configuration for an external workload identity pool provider should have conditions set

In GitHub Actions, one can authenticate to Google Cloud by setting values for workload_identity_provider and service_account and requesting a short-lived OIDC token which is then used to execute commands as that Service Account. If you don’t specify a condition in the workload identity provider pool configuration, then any GitHub Action can assume this role and act as that Service Account.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Set conditions on this provider, for example by restricting it to only be allowed from repositories in your GitHub organization

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


resource "google_iam_workload_identity_pool" "github" {
  provider                  = google
  project                   = data.google_project.project.project_id
  workload_identity_pool_id = "github"
}

resource "google_iam_workload_identity_pool_provider" "github" {
  provider                           = google
  project                            = data.google_project.project.project_id
  workload_identity_pool_id          = google_iam_workload_identity_pool.github-actions[0].workload_identity_pool_id
  workload_identity_pool_provider_id = "github"

  attribute_condition = "assertion.repository_owner=='your-github-organization'"

  attribute_mapping = {
    "google.subject"       = "assertion.sub"
    "attribute.actor"      = "assertion.actor"
    "attribute.aud"        = "assertion.aud"
    "attribute.repository" = "assertion.repository"
  }

  oidc {
    issuer_uri = "https://token.actions.githubusercontent.com"
  }
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition