> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# GH_CanAssumeIdentity

> Repository can assume this cloud identity via OIDC federation (Azure workload identity or AWS IAM role)

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Edge Schema

* Source: [GH\_Repository](/opengraph/extensions/github/nodes/gh_repository), [GH\_Branch](/opengraph/extensions/github/nodes/gh_branch), [GH\_Environment](/opengraph/extensions/github/nodes/gh_environment)
* Destination: [AZFederatedIdentityCredential](/resources/nodes/az-federated-identity-credential), `AWSRole`
* Traversable: ✅

## General Information

The traversable GH\_CanAssumeIdentity edge is a hybrid edge connecting GitHub OIDC token sources to cloud identity targets configured for GitHub Actions federation. This edge represents a verified path from GitHub Actions to cloud resource access. It is traversable because an attacker who can execute workflows in the source repository, branch, or environment can obtain an OIDC token that the cloud provider will accept, granting access to the associated cloud identity and its permissions. This edge is critical for identifying cross-cloud lateral movement paths from GitHub into Azure and AWS.

```mermaid theme={null}
graph LR
    repo("GH_Repository GitHound")
    branch("GH_Branch main")
    env("GH_Environment production")
    azFic("AZFederatedIdentityCredential gh-deploy-prod")
    awsRole("AWSRole gh-actions-deploy-prod")
    repo -- GH_CanAssumeIdentity --> azFic
    branch -- GH_CanAssumeIdentity --> awsRole
    env -- GH_CanAssumeIdentity --> azFic
```