CRITICALSupply chainexploited in the wild

SC-GHA-OIDC-MISCONFIG-2021

CI/CD · GitHub Actions · GitHub Actions to cloud OIDC trust misconfiguration

Summary

This class covers overly permissive cloud IAM trust policies that federate with GitHub's OIDC provider (token.actions.githubusercontent.com) but fail to constrain which workload may assume the role. The cloud role validates the OIDC token but checks only the audience claim (for example sts.amazonaws.com) while omitting the token.actions.githubusercontent.com:sub condition, or it uses a broad wildcard such as repo:org/* or a StringLike pattern instead of StringEquals, so any branch, any fork, or even an attacker-owned repository can mint a valid GitHub OIDC token and exchange it for cloud credentials. Because the sub claim encodes repository, branch, tag, and environment, dropping or loosening it removes the only binding between the role and the intended pipeline, yielding full assumption of the trusted role. Tinder Security Labs documented this in their AWS OIDC research, finding multiple real AWS roles assumable from unauthorized repositories due to missing subject validation, with the successful assumptions visible in CloudTrail. GitHub's OIDC support and the configure-aws-credentials path shipped in 2021, making this a long-standing systemic configuration risk.

How to avoid it in your code

Always pin the token.actions.githubusercontent.com:sub claim to repo, branch/tag, and environment with StringEquals, not StringLike.
Validate both the aud and sub claims; never trust an audience-only condition.
Scope each role to a single repository and protected environment; avoid org-wide repo:org/* wildcards.
Grant the assumed role least-privilege permissions and short session durations.
Audit cloud logs for AssumeRoleWithWebIdentity calls and alert on unexpected repo/org subjects.

References

Related vulnerabilities

All Supply chain →