From 36a4bdf78dd97ad372e18ff0a668db32576ec276 Mon Sep 17 00:00:00 2001
From: Roberto Tyley <roberto.tyley@gmail.com>
Date: Thu, 23 Jun 2022 16:22:21 +0100
Subject: [PATCH] fix: 'Incorrect token audience' error for GH OIDC

This is an update to the construct that creates IAM resources for GitHub
Actions, first introduced with https://github.com/guardian/cdk/pull/823
in early October 2021.

Apparently the `ClientIdList` field should no longer be `sigstore`, as
of 19th October 2021:

https://github.com/aws-actions/configure-aws-credentials/issues/291
https://github.com/aws-actions/configure-aws-credentials/issues/280#issuecomment-946608061
https://github.com/aws-actions/configure-aws-credentials/pull/284

The new value is `sts.amazonaws.com`, which I think corresponds to this
line in the docs:

> For the "Audience": Use sts.amazonaws.com if you are using the official action.
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws

With the old value of `sigstore` in the `AWS::IAM::OIDCProvider` `ClientIdList` field,
running the `aws-actions/configure-aws-credentials` GitHub Action will give you
a "Error: Incorrect token audience" error:

https://github.com/guardian/facia-scala-client/runs/7025740057?check_suite_focus=true#step:3:6
---
 .../iam/roles/__snapshots__/github-actions.test.ts.snap         | 2 +-
 src/constructs/iam/roles/github-actions.ts                      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/constructs/iam/roles/__snapshots__/github-actions.test.ts.snap b/src/constructs/iam/roles/__snapshots__/github-actions.test.ts.snap
index 98173cbbab..a7b87c87d7 100644
--- a/src/constructs/iam/roles/__snapshots__/github-actions.test.ts.snap
+++ b/src/constructs/iam/roles/__snapshots__/github-actions.test.ts.snap
@@ -37,7 +37,7 @@ Object {
     "GithubActionsOidc": Object {
       "Properties": Object {
         "ClientIdList": Array [
-          "sigstore",
+          "sts.amazonaws.com",
         ],
         "ThumbprintList": Array [
           "6938fd4d98bab03faadb97b34396831e3780aea1",
diff --git a/src/constructs/iam/roles/github-actions.ts b/src/constructs/iam/roles/github-actions.ts
index 94f4fc0aea..7395a7539b 100644
--- a/src/constructs/iam/roles/github-actions.ts
+++ b/src/constructs/iam/roles/github-actions.ts
@@ -63,7 +63,7 @@ class GitHubOidcProvider extends CfnResource {
       type: "AWS::IAM::OIDCProvider",
       properties: {
         Url: `https://${GITHUB_ACTIONS_ID_TOKEN_REQUEST_DOMAIN}`,
-        ClientIdList: ["sigstore"],
+        ClientIdList: ["sts.amazonaws.com"],
         ThumbprintList: [GITHUB_ACTIONS_ID_TOKEN_REQUEST_DOMAIN_THUMBPRINT],
       },
     });