AssumeRoleWithWebIdentity
AWS
AssumeRoleWithWebIdentity
Event
Returns temporary credentials for a user authenticated via an OIDC identity provider (e.g., Cognito, Google) to assume an IAM role.
Security Context
- Compromised credentials or stolen tokens allow adversaries to operate as legitimate users, making detection significantly more difficult.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
- Cross-account role assumption enables lateral movement between cloud accounts, potentially reaching production or sensitive environments.
Log Source
CloudTrail
Sample Event
Legitimate. The OCCAMY data-pipeline CI runs in GitHub Actions on fantasticlogs/occamy. On a push to main, the workflow exchanges a short-lived OIDC token from token.actions.githubusercontent.com for AWS credentials by assuming OccamyPipelineRole. The role’s trust policy is scoped to repo:fantasticlogs/occamy:ref:refs/heads/main. This is the canonical “no long-term keys in CI” pattern. Source IP is GitHub Actions runner egress (TEST-NET-2 stand-in 198.51.100.200).
{ "eventVersion": "1.09", "userIdentity": { "type": "WebIdentityUser", "principalId": "token.actions.githubusercontent.com:sts.amazonaws.com:repo:fantasticlogs/occamy:ref:refs/heads/main", "userName": "repo:fantasticlogs/occamy:ref:refs/heads/main", "identityProvider": "arn:aws:iam::555123456789:oidc-provider/token.actions.githubusercontent.com" }, "eventTime": "2026-04-15T15:18:42Z", "eventSource": "sts.amazonaws.com", "eventName": "AssumeRoleWithWebIdentity", "awsRegion": "us-east-1", "sourceIPAddress": "198.51.100.200", "userAgent": "aws-actions-configure-aws-credentials/4.0.0 aws-sdk-nodejs/2.1525.0 linux/v20.10.0 callback", "requestParameters": { "roleArn": "arn:aws:iam::555123456789:role/OccamyPipelineRole", "roleSessionName": "GitHubActions-occamy-deploy-12345", "durationSeconds": 3600 }, "responseElements": { "credentials": { "accessKeyId": "ASIA0CCAMYP1PESESS01N", "sessionToken": "<encoded session token blob>", "expiration": "Apr 15, 2026, 4:18:42 PM" }, "subjectFromWebIdentityToken": "repo:fantasticlogs/occamy:ref:refs/heads/main", "assumedRoleUser": { "assumedRoleId": "AROAOCCAMYP1PEL1NE02:GitHubActions-occamy-deploy-12345", "arn": "arn:aws:sts::555123456789:assumed-role/OccamyPipelineRole/GitHubActions-occamy-deploy-12345" }, "provider": "arn:aws:iam::555123456789:oidc-provider/token.actions.githubusercontent.com", "audience": "sts.amazonaws.com" }, "additionalEventData": { "identityProviderConnectionVerificationMethod": "IAMTrustStore" }, "requestID": "90000000-0000-4000-8000-000001110000", "eventID": "90000000-0000-4000-8000-000001110001", "readOnly": true, "resources": [ { "accountId": "555123456789", "type": "AWS::IAM::Role", "ARN": "arn:aws:iam::555123456789:role/OccamyPipelineRole" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "sts.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Initial Access Privilege Escalation Lateral Movement Stealth
Techniques:
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...