AWS IAM documentation change
Summary
Updated GitHub Actions OIDC requirements to accept job_workflow_ref claim.
Security assessment
Expands secure-by-default configuration options for GitHub OIDC without referencing a specific security issue. Enhances authentication granularity.
Diff
diff --git a/IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md b/IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md index 66893a62b..5141e9f00 100644 --- a//IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md +++ b//IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md @@ -40 +40 @@ OIDC IdP | OIDC URL | Tenancy Claim | Required Claims -[GitHub actions](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) | `https://token.actions.githubusercontent.com` | sub | `token.actions.githubusercontent.com:sub` +[GitHub actions](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) | `https://token.actions.githubusercontent.com` | sub or job_workflow_ref | `token.actions.githubusercontent.com:sub` or `token.actions.githubusercontent.com:job_workflow_ref`