Trust policy example in Setting up OIDC for AWS should reference docs on OIDC subjects in claims

[therealvio]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

What changes are you suggesting?

In the first example for this section of the doc, the trust policy scopes the access to a particular branch for a repository using ref as a subject.

However, this example doesn't make note of a pitfall where if a job references a Deployment Environment then the policy won't allow Github Actions to assume the role. In my case, I had a deploy script reference a production environment. So I needed to set the policy use to environment as a claim, as depicted here.

This is something that was tricky to figure out until I ran into the claims doc above.

Additional information

I raised a draft PR for this, though unfortunately this area of the documentation is restricted. Though I thought I'd leave it so it can be copied over and extended.

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[cmwilson21]

@therealvio thank you for opening an issue and submitting a PR!

[cmwilson21]

Closing this per comment here. It was fixed internally