add docs for cognito identity token (#1805)

motatoes · web-flow · commit 9a40639ab83c · 2024-11-11T11:33:38.000Z
diff --git a/docs/ce/howto/project-level-roles.mdx b/docs/ce/howto/project-level-roles.mdx
@@ -20,22 +20,15 @@ projects:
       aws_role_to_assume:
          state: "arn:/blabla/accid/backenddev"
          command: "arn:/blabla/accid/devaccount"
+         aws_role_region: us-east-1
    - name: prod
       dir: ./prod
       aws_role_to_assume:
          state: "arn:/blabla/accid/backendprod"
          command: "arn:/blabla/accid/prodaccount"
+         aws_role_region: us-east-1
 ```
 
-Using a workflow file as usual. Here is an [example repository](https://github.com/diggerhq/demo-assume-role-multi-account-aws_diggeryml) using digger.yml to assume different roles for different projects.
-
-<Note>
-NOTE: for locking to be configured user needs to also pass aws-role-to-assume in the workflow file as a
-parameter within the workflow file. This role needs to have ability to assume all the other roles and also have access to a common account where the locks are to live. 
-
-If you are not using a aws-role-to-assume setting it workflow you **must** add ```AwsRoleRegion``` property to project level ```aws_role_to_assume```
-</Note>
-
 You can also use project-level assume role with [generated projects](/ce/howto/generate-projects):
 
 ```
@@ -48,3 +41,27 @@ generate_projects:
         command: "arn:/blabla/accid/devaccount"
 ```
 
+# Assume role with cognito identity
+
+The github action JWT token includes alot of useful fields such as `ref`, `sha`, `runner_environment` etc. however it is
+challenging to write an AWS trust policy to match for these fields since only `aud` and `sub` fields are supported. Using cognito
+identity it is possible to remap the fields into principal tags which allows them to be matched in the trust policy. More information
+about this is in this article: https://catnekaise.github.io/github-actions-abac-aws/cognito-identity/.
+
+If you wish to perform this mapping in digger you can specify an additional aws_cognito_oidc configuration as follows:
+
+```
+  - name: "my-secure-digger-project"
+    dir: "prod"
+    workflow: default
+    workflow_file: digger_workflow.yml
+    aws_role_to_assume:
+      aws_role_region: "us-west-2"
+      command: "arn:aws:iam::00000000000:role/github-action-deployment-role"
+    aws_cognito_oidc:
+      cognito_identity_pool_id: "us-east-1:00000000-0000-0000-0000-000000000000"
+      aws_region: "us-east-1"
+      aws_account_id: "000000000000"
+```
+
+Once this is specified you will be able to match values in additional configuration as highlighted in the url above.
