Maintenance: Pass only the required secret to workflow #4363
Description
Summary
Provide reusable workflows with access only to the specific secrets they require and use individual secret references instead of inheriting all secrets. This was alerted by a SonarQube finding
In file .github/workflows/rebuild_latest_docs.yml
jobs:
release-docs:
permissions:
id-token: write # trade JWT token for AWS credentials in AWS Docs account
contents: read # read from this repo to publish docs
secrets : inherit <--- Use only required secrets instead of inheritSimilarly, secrets are being inherited in these files
Why is this needed?
GitHub Actions workflows should follow the principle of least privilege by providing reusable workflows with access only to the specific secrets they require. When secrets: inherit is used to call a reusable workflow, all repository secrets become available to the reusable workflow, creating unnecessary security risks.
This practice increases the attack surface and potential for secret exposure, as any vulnerability in the reusable workflow could compromise all secrets rather than just the ones actually needed. Additionally, it violates the principle of least privilege by granting broader access than necessary.
Which area does this relate to?
Automation
Solution
jobs:
release-docs:
permissions:
id-token: write # trade JWT token for AWS credentials in AWS Docs account
contents: read # read from this repo to publish docs
secrets:
AWS_DOCS_ROLE_ARN: ${{ secrets.AWS_DOCS_ROLE_ARN }}
AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}Acknowledgment
- This request meets Powertools for AWS Lambda (TypeScript) Tenets
- Should this be considered in other Powertools for AWS Lambda languages? i.e. Python, Java, and .NET
Future readers
Please react with 👍 and your use case to help us understand customer demand.