Add audicence in the policy condition

[blueprismo]

Bug Report

When I try to set up a simple OIDC provisioning, the policy document only considerates the condition for the token.githubusercontent.com:sub and does not include the *:aud as explicitly stated in the doc (https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy)

Steps to Reproduce:

Just apply anywhere the role

Expected Result:

"Condition": {
  "StringEquals": {
    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
    "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
  }
}

Actual Result:

"Condition": {
  "StringEquals": {
    "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
  }
}

[pintxxo]

Did anybody has a solution to this? Thank you

[blueprismo]

Did anybody has a solution to this? Thank you

I have the mental note to do it at some point in time in a forked repo / on my own! Will keep you updated :)

[blueprismo]

@pintxxo What about this: https://registry.terraform.io/modules/blueprismo/github-oidc-provider/aws/latest? :)

[nikola197]

@blueprismo can you make a PR with your changes for audiences, and hopefully maintainers can merge it soon?
Thank you!

[blueprismo]

@nikola197 Done in here: #90 hope some maintainers will merge it

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[blueprismo]

Friendly ping

[stale]

This issue has been automatically closed because it has not had recent activity since being marked as stale.