AWS - Federation Abuse

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

SAML

Kwa maelezo kuhusu SAML tafadhali angalia:

Ili kuunda Identity Federation kupitia SAML unahitaji tu kutoa jina na metadata XML inayoshikilia usanidi wote wa SAML (endpoints, cheti chenye funguo za umma)

OIDC - Github Actions Abuse

Ili kuongeza hatua ya github kama mtoa huduma wa Utambulisho:

Kwa Aina ya Mtoa huduma, chagua OpenID Connect.
Kwa URL ya Mtoa huduma, ingiza https://token.actions.githubusercontent.com
Bonyeza Pata thumbprint ili kupata thumbprint ya mtoa huduma
Kwa Watazamaji, ingiza sts.amazonaws.com
Unda jukumu jipya lenye idhini zinazohitajika na hatua ya github na sera ya kuamini inayomwamini mtoa huduma kama:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::0123456789:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:sub": [ "repo:ORG_OR_USER_NAME/REPOSITORY:pull_request", "repo:ORG_OR_USER_NAME/REPOSITORY:ref:refs/heads/main" ], "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" } } } ] }

6. Kumbuka katika sera iliyopita jinsi tu **tawi** kutoka **hifadhi** ya **shirika** lilihitajika kwa **kichocheo** maalum.
7. **ARN** ya **jukumu** ambalo hatua ya github itakuwa na uwezo wa **kujifanya** itakuwa "siri" ambayo hatua ya github inahitaji kujua, hivyo **hifadhi** ndani ya **siri** ndani ya **mazingira**.
8. Hatimaye tumia hatua ya github kuunda AWS creds zitakazotumika na workflow:
```yaml
name: 'test AWS Access'

# The workflow should only trigger on pull requests to the main branch
on:
pull_request:
branches:
- main

# Required to get the ID Token that will be used for OIDC
permissions:
id-token: write
contents: read # needed for private repos to checkout

jobs:
aws:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: eu-west-1
role-to-assume: ${{ secrets.READ_ROLE }}
role-session-name: OIDCSession

- run: aws sts get-caller-identity
shell: bash

OIDC - EKS Dhulumu

# Crate an EKS cluster (~10min)
eksctl create cluster --name demo --fargate

# Create an Identity Provider for an EKS cluster
eksctl utils associate-iam-oidc-provider --cluster Testing --approve

Ni rahisi kuunda OIDC providers katika EKS cluster kwa kuweka OIDC URL ya cluster kama mtoa kitambulisho kipya cha Open ID. Hii ni sera ya kawaida ya default:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
}
}
}
]
}

Hii sera inasema kwa usahihi kwamba tu EKS cluster yenye id 20C159CDF6F2349B68846BEC03BE031B inaweza kuchukua jukumu. Hata hivyo, haionyeshi ni akaunti gani ya huduma inaweza kuchukua jukumu hilo, ambayo ina maana kwamba AKAUNTI YOYOTE YA HUDUMA yenye tokeni ya utambulisho wa wavuti itakuwa na uwezo wa kuchukua jukumu hilo.

Ili kubaini ni akaunti gani ya huduma inapaswa kuwa na uwezo wa kuchukua jukumu, inahitajika kubaini hali ambapo jina la akaunti ya huduma limeainishwa, kama vile:

"oidc.eks.region-code.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:sub": "system:serviceaccount:default:my-service-account",

Marejeo

https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousAWS - Basic Information NextAWS - Permissions for a Pentest

Last updated 3 days ago

OIDC - Github Actions Abuse

Ili kuongeza hatua ya github kama mtoa huduma wa Utambulisho:

Kwa Aina ya Mtoa huduma, chagua OpenID Connect.

Kwa URL ya Mtoa huduma, ingiza https://token.actions.githubusercontent.com

Bonyeza Pata thumbprint ili kupata thumbprint ya mtoa huduma

Kwa Watazamaji, ingiza sts.amazonaws.com

Unda jukumu jipya lenye idhini zinazohitajika na hatua ya github na sera ya kuamini inayomwamini mtoa huduma kama:

6. Kumbuka katika sera iliyopita jinsi tu **tawi** kutoka **hifadhi** ya **shirika** lilihitajika kwa **kichocheo** maalum.
7. **ARN** ya **jukumu** ambalo hatua ya github itakuwa na uwezo wa **kujifanya** itakuwa "siri" ambayo hatua ya github inahitaji kujua, hivyo **hifadhi** ndani ya **siri** ndani ya **mazingira**.
8. Hatimaye tumia hatua ya github kuunda AWS creds zitakazotumika na workflow:
```yaml
name: 'test AWS Access'

# The workflow should only trigger on pull requests to the main branch
on:
pull_request:
branches:
- main

# Required to get the ID Token that will be used for OIDC
permissions:
id-token: write
contents: read # needed for private repos to checkout

jobs:
aws:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: eu-west-1
role-to-assume: ${{ secrets.READ_ROLE }}
role-session-name: OIDCSession

- run: aws sts get-caller-identity
shell: bash

OIDC - EKS Dhulumu

# Crate an EKS cluster (~10min)
eksctl create cluster --name demo --fargate

# Create an Identity Provider for an EKS cluster
eksctl utils associate-iam-oidc-provider --cluster Testing --approve

Ni rahisi kuunda OIDC providers katika EKS cluster kwa kuweka OIDC URL ya cluster kama mtoa kitambulisho kipya cha Open ID. Hii ni sera ya kawaida ya default:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
}
}
}
]
}

Ili kubaini ni akaunti gani ya huduma inapaswa kuwa na uwezo wa kuchukua jukumu, inahitajika kubaini hali ambapo jina la akaunti ya huduma limeainishwa, kama vile:

"oidc.eks.region-code.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:sub": "system:serviceaccount:default:my-service-account",