Skip to content

AssumeRoleWithWebIdentity

AWS

AssumeRoleWithWebIdentity

service: AWS - STS
techniques:

Event

Returns temporary credentials for a user authenticated via an OIDC identity provider (e.g., Cognito, Google) to assume an IAM role.

Security Context

  • Compromised credentials or stolen tokens allow adversaries to operate as legitimate users, making detection significantly more difficult.
  • Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
  • Cross-account role assumption enables lateral movement between cloud accounts, potentially reaching production or sensitive environments.

Log Source

CloudTrail

Sample Event

Legitimate. The OCCAMY data-pipeline CI runs in GitHub Actions on fantasticlogs/occamy. On a push to main, the workflow exchanges a short-lived OIDC token from token.actions.githubusercontent.com for AWS credentials by assuming OccamyPipelineRole. The role’s trust policy is scoped to repo:fantasticlogs/occamy:ref:refs/heads/main. This is the canonical “no long-term keys in CI” pattern. Source IP is GitHub Actions runner egress (TEST-NET-2 stand-in 198.51.100.200).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "WebIdentityUser",
"principalId": "token.actions.githubusercontent.com:sts.amazonaws.com:repo:fantasticlogs/occamy:ref:refs/heads/main",
"userName": "repo:fantasticlogs/occamy:ref:refs/heads/main",
"identityProvider": "arn:aws:iam::555123456789:oidc-provider/token.actions.githubusercontent.com"
},
"eventTime": "2026-04-15T15:18:42Z",
"eventSource": "sts.amazonaws.com",
"eventName": "AssumeRoleWithWebIdentity",
"awsRegion": "us-east-1",
"sourceIPAddress": "198.51.100.200",
"userAgent": "aws-actions-configure-aws-credentials/4.0.0 aws-sdk-nodejs/2.1525.0 linux/v20.10.0 callback",
"requestParameters": {
"roleArn": "arn:aws:iam::555123456789:role/OccamyPipelineRole",
"roleSessionName": "GitHubActions-occamy-deploy-12345",
"durationSeconds": 3600
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIA0CCAMYP1PESESS01N",
"sessionToken": "<encoded session token blob>",
"expiration": "Apr 15, 2026, 4:18:42 PM"
},
"subjectFromWebIdentityToken": "repo:fantasticlogs/occamy:ref:refs/heads/main",
"assumedRoleUser": {
"assumedRoleId": "AROAOCCAMYP1PEL1NE02:GitHubActions-occamy-deploy-12345",
"arn": "arn:aws:sts::555123456789:assumed-role/OccamyPipelineRole/GitHubActions-occamy-deploy-12345"
},
"provider": "arn:aws:iam::555123456789:oidc-provider/token.actions.githubusercontent.com",
"audience": "sts.amazonaws.com"
},
"additionalEventData": {
"identityProviderConnectionVerificationMethod": "IAMTrustStore"
},
"requestID": "90000000-0000-4000-8000-000001110000",
"eventID": "90000000-0000-4000-8000-000001110001",
"readOnly": true,
"resources": [
{
"accountId": "555123456789",
"type": "AWS::IAM::Role",
"ARN": "arn:aws:iam::555123456789:role/OccamyPipelineRole"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "sts.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Initial Access Privilege Escalation Lateral Movement Stealth

Techniques:
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...