Amplify Console connect to GitHub violates principle of least privilege

[ellemenno]

Describe the bug
Amplify Console setup violates the best practice principle of least privilege by installing a persistent OAuth permission granting AWS full control over all my repositories, across all organizations I belong to. Revoking this access after setup forces delete of the repo deploy key, and CI no longer works.

To Reproduce
Steps to reproduce the behavior:

1. follow the Amplify Docs for Getting started with existing code: Step 1: Connect repository
2. select GitHub as the provider
3. authorize AWS Amplify in the OAuth dialog
4. see the following warning:

This application will be able to read and write all public and private repository data. This includes the following:

• Code
• Issues
• Pull requests
• Wikis
• Settings
• Webhooks and services
• Deploy keys
• Collaboration invites

(also lists organizations)

5. visit the target GitHub repo settings and confirm webhook and read-only deploy key are created
6. commit code and confirm Amplify CI runs as expected
7. visit the connected GitHub account application settings and revoke overly broad OAuth permission for AWS Amplify
8. commit code again and see Amplify CI fail after provision step, unable to gain access to repo.

Expected behavior
the permissions granted to AWS Amplify should be scoped to just the repo i am setting up CI for, and for read access only. i believe this requires two things for GitHub, both specific to the single target repo:

• a push notification webhook
• a read-only deploy key

the amplify automation does create these things for me, but also creates a persistent account-level OAuth connection granting AWS full control over all my repositories. if I revoke this access, the repo deploy key is also deleted, and CI no longer works.

Additional context
i'm sure aws is trying to make this setup process as simple as possible, and it is very quick and easy, but at what feels like an unreasonable cost in security exposure. i would be very happy to add a few more manual steps to copy and paste a deployment key or webhook url if it could mean not having to grant full control of all my resources to another company.

these concerns have been raised in other issues too:

• Web Application - Module 1 - Inconsistent expectations set on scope of GitHub account access required by Amplify aws-samples/aws-serverless-workshops#257
• Amplify Console appears to request excessive access to GitHub.com accounts #329
• Why does Amplify create a read/write deploy key in the github repo instead of just read-only deploy key ? #747

[nebaughman]

I wholeheartedly agree (excellent explanation, thank you for writing this).

It seems that the overly-permissive OAuth step could be skipped entirely by giving the developer instructions to install the deploy key (read-only) and webhook. Or, I should be able to revoke OAuth access after Amplify has installed these (as a convenience). However, as noted above, removing OAuth authorization causes future builds to fail.

If there is a technical reason AWS Amplify Console requires persistent full OAuth access to my github account, can you please explain this?

[ryanneill-sterling]

Even the read-only deploy key bugs me. Seems like this should be stored in secrets manager or secure parameter.

[bigjosh]

My workaround is to create a new dummy GitHub account and then grant that account access from my real account, but this is a hack solution for such an important issue.

Really Amplify should just offer an option to enter the URL of a public repo, or use deploy keys, or have a github account that you can invite as a collaborator, or anything else besides requesting full RW access to all repos to be able to read one of them.

How is this not a deal-killer for most people?

[halbrd]

Yep, this is a big yikes. I won't grant superuser permissions to an app that only needs to read one repo. This burns customer trust.

[agostbiro]

This is a dealbreaker for me. Other providers like Netlify and Vercel don't require such extensive permissions.

[halbrd]

I ended up using Cloudflare Pages, which only requests read permission and only to the repository I specified.

[jorepstein]

🚩🚩🚩🚩🚩🚩🚩🚩🚩
Bad Amplify

[alexBotteri]

+1

[fooman]

What is being requested certainly doesn't match what is on the previous screen

repo read access != read/write on account level

[jonahx]

Is fixing this on the roadmap?

[lastmaj]

okay so this is a dealbreaker for me. was comparing amplify, vercel and netlify when i stumbled on this. I guess I will be going with anything but amplify.

[swaminator]

@lastmaj @jonahx @fooman @alexBotteri @jorepstein @agostbiro @bigjosh @ellemenno this feature has been prioritized and we are hoping to release this in the coming weeks. Stay tuned.

[DashPeruvamba]

Hi there - it is good to know there is going to be a fix available. Are you able to share what the updated timeline on this might be?

[swaminator]

@lastmaj @jonahx @fooman @alexBotteri @jorepstein @agostbiro @bigjosh @ellemenno We now support
GitHub apps to help with this: https://aws.amazon.com/about-aws/whats-new/2022/04/aws-amplify-hosting-github-access-workflows/.

Please let us know if you have any issues.

[mustakimkr]

I have connected my two AWS Amplify accounts (let's say X & Y) with my GitHub account (mustakimkr) via GitHub Apps and give permission to access my two repo (lets say C & D) one for each amplify account respectively.But I can access both of my repo from both of my amplify accounts. This is because when I connect to two amplify it issues only one GitHub Apps with the same repo permission.
Is there any other way to connect the same GitHub from multiple AWS accounts without giving the same permission to both amplify accounts?

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.