New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Amplify Console connect to GitHub violates principle of least privilege #1542
Comments
I wholeheartedly agree (excellent explanation, thank you for writing this). It seems that the overly-permissive OAuth step could be skipped entirely by giving the developer instructions to install the deploy key (read-only) and webhook. Or, I should be able to revoke OAuth access after Amplify has installed these (as a convenience). However, as noted above, removing OAuth authorization causes future builds to fail. If there is a technical reason AWS Amplify Console requires persistent full OAuth access to my github account, can you please explain this? |
Even the read-only deploy key bugs me. Seems like this should be stored in secrets manager or secure parameter. |
My workaround is to create a new dummy GitHub account and then grant that account access from my real account, but this is a hack solution for such an important issue. Really Amplify should just offer an option to enter the URL of a public repo, or use deploy keys, or have a github account that you can invite as a collaborator, or anything else besides requesting full RW access to all repos to be able to read one of them. How is this not a deal-killer for most people? |
Yep, this is a big yikes. I won't grant superuser permissions to an app that only needs to read one repo. This burns customer trust. |
This is a dealbreaker for me. Other providers like Netlify and Vercel don't require such extensive permissions. |
I ended up using Cloudflare Pages, which only requests read permission and only to the repository I specified. |
🚩🚩🚩🚩🚩🚩🚩🚩🚩 |
+1 |
Is fixing this on the roadmap? |
okay so this is a dealbreaker for me. was comparing amplify, vercel and netlify when i stumbled on this. I guess I will be going with anything but amplify. |
@lastmaj @jonahx @fooman @alexBotteri @jorepstein @agostbiro @bigjosh @ellemenno this feature has been prioritized and we are hoping to release this in the coming weeks. Stay tuned. |
Hi there - it is good to know there is going to be a fix available. Are you able to share what the updated timeline on this might be? |
@lastmaj @jonahx @fooman @alexBotteri @jorepstein @agostbiro @bigjosh @ellemenno We now support Please let us know if you have any issues. |
I have connected my two AWS Amplify accounts (let's say X & Y) with my GitHub account (mustakimkr) via GitHub Apps and give permission to access my two repo (lets say C & D) one for each amplify account respectively.But I can access both of my repo from both of my amplify accounts. This is because when I connect to two amplify it issues only one GitHub Apps with the same repo permission. |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Describe the bug
Amplify Console setup violates the best practice principle of least privilege by installing a persistent OAuth permission granting AWS full control over all my repositories, across all organizations I belong to. Revoking this access after setup forces delete of the repo deploy key, and CI no longer works.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
the permissions granted to AWS Amplify should be scoped to just the repo i am setting up CI for, and for read access only. i believe this requires two things for GitHub, both specific to the single target repo:
the amplify automation does create these things for me, but also creates a persistent account-level OAuth connection granting AWS full control over all my repositories. if I revoke this access, the repo deploy key is also deleted, and CI no longer works.
Additional context
i'm sure aws is trying to make this setup process as simple as possible, and it is very quick and easy, but at what feels like an unreasonable cost in security exposure. i would be very happy to add a few more manual steps to copy and paste a deployment key or webhook url if it could mean not having to grant full control of all my resources to another company.
these concerns have been raised in other issues too:
The text was updated successfully, but these errors were encountered: