The default AWS GHA credential provider uses sts.amazonaws.com, as do the related docs. Defang CLI does not specify an audience when requesting the JWT from GitHub, so ends up with the default audience = GitHub org, eg. https://github.com/DefangLabs.
One reason is that we use one JWT for two purposes:
- to authenticate with our backend (Fabric)
- to authenticate to the cloud (AWS)
Ideally, we should use two separate tokens, each with specific audience:
fabric-prod1.defang.dev for Fabric authsts.amazonaws.com for AWS
It's OK to request multiple tokens from the ULR that GitHub provides us.
The default AWS GHA credential provider uses
sts.amazonaws.com, as do the related docs. Defang CLI does not specify an audience when requesting the JWT from GitHub, so ends up with the default audience = GitHub org, eg.https://github.com/DefangLabs.One reason is that we use one JWT for two purposes:
Ideally, we should use two separate tokens, each with specific audience:
fabric-prod1.defang.devfor Fabric authsts.amazonaws.comfor AWSIt's OK to request multiple tokens from the ULR that GitHub provides us.