search

aws-actions / configure-aws-credentials

Configure AWS credential environment variables for use in other GitHub Actions.
MIT License
2.43k stars 466 forks source link

"Error: EACCES: permission denied, open" when running on non-root self-hosted runners #1011

Closed lucazz closed 6 months ago

lucazz commented 6 months ago

Describe the bug

Hello there everyone,

I have a GitHub Actions Runner Controller (ARC) Runner Set deployed on an EKS cluster, and workflow executions are failing with the following error message: 

Error: EACCES: permission denied, open '/__w/_temp/_runner_file_commands/set_env_43334ec4-c528-4eeb-b934-cb1d34df5bea'
Error: Error: failed to run script step: command terminated with non-zero exit code: error executing command [sh -e /__w/_temp/d44e9240-d25b-11ee-91a7-1b422eefd1bb.sh], exit code 1
Error: Process completed with exit code 1.
Error: Executing the custom container implementation failed. Please contact your self hosted runner administrator.

These pods are running as Nonroot, and the only other reference I see to this behavior is on #156, where the fix ran this action as root.

Expected Behavior

One should be able to assume a given role even when running this action in a non-root container.

Current Behavior

The workflow execution fails with the following error message: 

Error: EACCES: permission denied, open '/__w/_temp/_runner_file_commands/set_env_43334ec4-c528-4eeb-b934-cb1d34df5bea'
Error: Error: failed to run script step: command terminated with non-zero exit code: error executing command [sh -e /__w/_temp/d44e9240-d25b-11ee-91a7-1b422eefd1bb.sh], exit code 1
Error: Process completed with exit code 1.
Error: Executing the custom container implementation failed. Please contact your self hosted runner administrator.

Reproduction Steps

On a runner pod running without root, run the following workflow:

---
name: ARC Demo
on:
  workflow_dispatch:

jobs:
  Explore-GitHub-Actions:
    runs-on: prod
    container:
      image: 012345678910.dkr.ecr.us-east-1.amazonaws.com/foo/bar:latest
    env:
      AWS_DEFAULT_REGION: us-east-1
      AWS_ROLE: arn:aws:iam::012345678910:role/some-role
    steps:
      - name: Setup AWS access
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ${{ env.AWS_DEFAULT_REGION }}
          role-skip-session-tagging: true
          role-to-assume: ${{ env.AWS_ROLE }}
      - run: aws sts get-caller-identity

Possible Solution

No response

Additional Information/Context

No response

tim-finnigan commented 6 months ago

Thanks for reaching out. This appears to be expected behavior, and there are relates issues such as https://github.com/actions/checkout/issues/1014 and https://github.com/actions/checkout/issues/956. The documentation (https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#user) notes that "Docker actions must be run by the default Docker user (root)...". You can try workarounds such as using chmod to allow a non-root user to write the filesystem path. There are some other workarounds referenced in those GitHub issues.

lucazz commented 6 months ago

Interesting. Thanks for pointing that out, @tim-finnigan. I'll close this issue then.

github-actions[bot] commented 6 months ago

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one.