From d4bdd8456dddbb963f39dbf699652fa655c84a23 Mon Sep 17 00:00:00 2001
From: therealvio <41095688+therealvio@users.noreply.github.com>
Date: Sun, 17 Sep 2023 19:17:43 +1000
Subject: [PATCH] doc(oidc): policy example does not work when environments are
 in use

The documentation depicting how to limit scope of access in the trust policy works for *most* cases. However when a deployment environment is used by a job, the policy will not work. This is described in the linked documentation here:

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims

You can test your Github actions runs to verify what claim you need using this action: https://github.com/github/actions-oidc-debugger
---
 .../configuring-openid-connect-in-amazon-web-services.md   | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
index 4ea5aa0b74e9..abe615762f1b 100644
--- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
+++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
@@ -63,6 +63,13 @@ Edit the trust policy to add the `sub` field to the validation conditions. For e
 }
 ```
 
+
+{% note %}
+
+**Note**: In the above example, specifying a branch in the subject claim only works if the branch does not refer to an environment. For more examples of what common subject claims you can use, see the Github documentation "[About security hardening with OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims)"
+
+{% endnote %}
+
 In the following example, `StringLike` is used with a wildcard operator (`*`) to allow any branch, pull request merge branch, or environment from the `octo-org/octo-repo` organization and repository to assume a role in AWS.
 
 ```json copy