SAML

Kwa habari kuhusu SAML tafadhali angalia:

Ili kusanidi Ufikishaji wa Kitambulisho kupitia SAML unahitaji kutoa jina na metadata XML inayohusisha usanidi wote wa SAML (vielekezi, cheti chenye funguo ya umma)

OIDC - Udukuzi wa Vitendo vya Github

Ili kuongeza kitendo cha github kama mtoa huduma ya kitambulisho:

1. Kwa Aina ya Mtoa, chagua OpenID Connect.

2. Kwa URL ya Mtoa, ingiza https://token.actions.githubusercontent.com

3. Bonyeza Pata alama ya kidole ili kupata alama ya kidole ya mtoa huduma

4. Kwa Wasikilizaji, ingiza sts.amazonaws.com

5. Unda jukumu jipya na ruhusa zinazohitajika na kitendo cha github na sera ya uaminifu inayouamini mtoa huduma kama:

• Copy

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::0123456789:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:sub": [ "repo:ORG_OR_USER_NAME/REPOSITORY:pull_request", "repo:ORG_OR_USER_NAME/REPOSITORY:ref:refs/heads/main" ], "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" } } } ] }

6. Tafadhali angalia katika sera iliyopita jinsi tu **tawi** kutoka **repo** ya **shirika** liliruhusiwa na **kitendo** maalum.
7. **ARN** ya **jukumu** ambalo kitendo cha github litaweza **kujifanya** itakuwa "siri" ambayo kitendo cha github inahitaji kujua, hivyo **hifadhi** ndani ya **siri** ndani ya **mazingira**.
8. Hatimaye tumia kitendo cha github kusanidi vibali vya AWS vitakavyotumiwa na mfumo wa kazi:
```yaml
name: 'test AWS Access'

# The workflow should only trigger on pull requests to the main branch
on:
pull_request:
branches:
- main

# Required to get the ID Token that will be used for OIDC
permissions:
id-token: write
contents: read # needed for private repos to checkout

jobs:
aws:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: eu-west-1
role-to-assume: ${{ secrets.READ_ROLE }}
role-session-name: OIDCSession

- run: aws sts get-caller-identity
shell: bash

OIDC - Matumizi ya EKS

# Crate an EKS cluster (~10min)
eksctl create cluster --name demo --fargate

# Create an Identity Provider for an EKS cluster
eksctl utils associate-iam-oidc-provider --cluster Testing --approve

Inawezekana kuzalisha watoa huduma wa OIDC katika kikundi cha EKS kwa kuweka URL ya OIDC ya kikundi kama mtoa huduma mpya wa Kitambulisho cha Open ID. Hii ni sera ya kawaida ya msingi:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
}
}
}
]
}

Sera hii inaonyesha kwa usahihi kwamba pekee kikundi cha EKS chenye id 20C159CDF6F2349B68846BEC03BE031B kinaweza kuchukua jukumu. Walakini, haionyeshi ni akaunti gani ya huduma inaweza kuchukua, hii inamaanisha kuwa akaunti yoyote ya huduma yenye tokeni ya kitambulisho cha wavuti itaweza kuchukua jukumu.

Ili kufafanua akaunti gani ya huduma inapaswa kuweza kuchukua jukumu, ni lazima kutoezea hali ambapo jina la akaunti ya huduma limetajwa, kama vile:

"oidc.eks.region-code.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:sub": "system:serviceaccount:default:my-service-account",

Marejeo

• https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/