No Conditions Workload Identity Pool Provider | Vulnerability Database

A configuration for an external workload identity pool provider should have conditions set

In GitHub Actions, one can authenticate to Google Cloud by setting values for workload_identity_provider and service_account and requesting a short-lived OIDC token which is then used to execute commands as that Service Account. If you don’t specify a condition in the workload identity provider pool configuration, then any GitHub Action can assume this role and act as that Service Account.

Impact

Allows an external attacker to authenticate as the attached service account and act with its permissions

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Set conditions on this provider, for example by restricting it to only be allowed from repositories in your GitHub organization

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26


  resource "google_iam_workload_identity_pool" "github" {
    provider = google
    project  = data.google_project.project.project_id
    workload_identity_pool_id = "github"
  }
  
  resource "google_iam_workload_identity_pool_provider" "github" {
    provider = google
    project  = data.google_project.project.project_id
    workload_identity_pool_id          = google_iam_workload_identity_pool.github-actions[0].workload_identity_pool_id
    workload_identity_pool_provider_id = "github"
  
    attribute_condition = "assertion.repository_owner=='your-github-organization'"

    attribute_mapping = {
      "google.subject"       = "assertion.sub"
      "attribute.actor"      = "assertion.actor"
      "attribute.aud"        = "assertion.aud"
      "attribute.repository" = "assertion.repository"
    }
  
    oidc {
      issuer_uri = "https://token.actions.githubusercontent.com"
    }
  }
 

Remediation Links

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition