Runner Role per Repo + Branch

[nackerman-nydig]

Hello!

Background

Our Github Organization has the following two requirements:

1. Runners executing Github Workflows must have different IAM permissions per Repo + Branch
   1. REASONING: as developers work on feature branches, we want them to run their workflows with a certain set of credentials (IAM role). However, after code is reviewed and merged, we'd like to run workflows with another set of credentials (IAM role). Making this a little more concrete, we only want to be able to "deploy" code after a PR review + merge. And for our ORG - deploying means pushing images to ECR. so only Runners operating on the main/master branch for a repo should have IAM permissions to push to AWS ECR.
2. IAM permissions per Repo + Branch must be out of developer control. We dont want a malicious insider to over privilege themselves.

Potential Solution

We are able to configure runners with a pre-job-hook. And in that Hook, we have access to the Environment Variable GITHUB_REF. Our plan today is to inspect this GITHUB_REF. If the GITHUB_REF doesnt match the IAM role requested, we'll terminate the WORKFLOW JOB. Otherwise, we allow WORKFLOW JOB execution like normal.

Note:

• from our testing, GITHUB_REF on PR looks like refs/pull/2/merge
• from our testing, GITHUB_REF on merge to master/main looks like refs/heads/main

Given this, we believe we can detect if a runner is running in response to a main/master merge, or a development PR.

Question

Is there a cleaner/nicer way to hit our 2 requirements above than what we've outlined in our potential solution?

This feature request is very similar to our need. Seems like this functionality isnt supported today within ARC, but I wonder if maybe something has changed after 1.5 years.

Thanks :)

[toast-gear]

Unfortunately there hasn't been any progress at the native runner / GitHub level side of things. This is the relevant issue on the actions/runner repo that needs work on GitHub's end for a clean solution actions/runner#1224.

You can however do some enforcement of a workflows ability to assume a role based on repo and branch with OpenID Connect https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services so depending on your environment this may be perfectly fine as a solution.

[nackerman-nydig]

Got it - thanks for the reply :)

Agreed the open ID connect is a good solution here. Im seeing our needs meet in the documentation. IAM roles per repo+branch. Thanks for sharing, wish I would have dug that up myself.

I think our "Potential Solution" outlined above is "good enough" for us at this time. But if we learn otherwise, workflows + openID connect seems very promising.

Thanks again :)