Challenge - 5 Problems

🎖️

OIDC Authentication Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

🧠 Conceptual

intermediate

2:00remaining

What is the main purpose of OIDC in CI/CD pipelines?

OpenID Connect (OIDC) is often used in CI/CD pipelines. What is its main purpose?

ATo securely authenticate pipeline jobs without storing long-lived credentials

BTo encrypt all data transferred between pipeline stages

CTo manage version control of pipeline scripts

DTo monitor pipeline performance metrics in real-time

Attempts:

2 left

💻 Command Output

intermediate

2:00remaining

What is the output of this Terraform snippet configuring OIDC provider?

Given this Terraform code snippet, what will be the value of aws_iam_openid_connect_provider.example.url after apply?

Terraform

resource "aws_iam_openid_connect_provider" "example" {
  url = "https://oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E"
  client_id_list = ["sts.amazonaws.com"]
  thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da0afd6e1e4"]
}

A9e99a48a9960b14926bb7f3b02e22da0afd6e1e4

Bhttps://oidc.eks.us-west-2.amazonaws.com/id/INVALID

Chttps://sts.amazonaws.com

Dhttps://oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E

Attempts:

2 left

❓ Configuration

advanced

3:00remaining

Which Terraform block correctly configures a trust relationship for OIDC in an IAM role?

Choose the Terraform assume_role_policy JSON that correctly allows OIDC authentication from a specific provider.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Principal": {"AWS": "*"},
    "Action": "sts:AssumeRole"
  }]
}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"Federated": "arn:aws:iam::123456789012:oidc-provider/invalid-provider"},
    "Action": "sts:AssumeRoleWithWebIdentity"
  }]
}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"Federated": "arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E"},
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:sub": "system:serviceaccount:default:my-service-account"
      }
    }
  }]
}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"Service": "ec2.amazonaws.com"},
    "Action": "sts:AssumeRole"
  }]
}

Attempts:

2 left

❓ Troubleshoot

advanced

3:00remaining

Why does this GitHub Actions workflow fail to authenticate with AWS using OIDC?

Given this snippet from a GitHub Actions workflow, why does the AWS CLI command fail with 'AccessDenied'?

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: arn:aws:iam::123456789012:role/GitHubOIDCRole
          aws-region: us-west-2
      - name: Deploy
        run: aws s3 ls

AThe workflow is missing the 'id-token: write' permission

BThe IAM role's trust policy does not allow GitHub's OIDC provider

CThe AWS region is incorrectly specified

DThe AWS CLI command 'aws s3 ls' is invalid

Attempts:

2 left

🔀 Workflow

expert

4:00remaining

Order the steps to enable OIDC authentication for a CI/CD pipeline deploying to AWS

Arrange these steps in the correct order to set up OIDC authentication for a CI/CD pipeline that deploys to AWS.

A1,3,2,4

B1,2,3,4

C3,1,2,4

D2,1,3,4

Attempts:

2 left