search

aws-actions / configure-aws-credentials

Configure AWS credential environment variables for use in other GitHub Actions.
MIT License
2.41k stars 465 forks source link

OIDC: Can't assume role containing "github" #1093

Open bbergeron0 opened 2 months ago

bbergeron0 commented 2 months ago

Describe the bug

Just like #953, OIDC seems to break down when the IAM role contains "GitHub." The runner couldn't assume the role of "github-action-deploy-to-staging" or "test-github-cicd," but assumed the role of "deploy-to-staging" without a hic, with the only difference between these roles being their name. After finding the aforementioned issue, I gave the solution a try and it worked.

Expected Behavior

I expect it to work even if the role contains "github".

Current Behavior

In GH action logs:

Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
...
Assuming role with OIDC
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

Reproduction Steps

As I said, the role must contains "github" to fail. Here's the failing step in question; (Also, permissions.id-token = write)

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: arn:aws:iam::[redacted]:role/github-said-hi
        role-session-name: samplerolesession
        aws-region: ${{ env.AWS_REGION }}

Possible Solution

954 suggested to "either highlighting this restricted role name in the documentation, or fixing the issue preventing use of this role name." I'd like to vote for the second option this time around ;)

Additional Information/Context

No response

gyfchong commented 2 months ago

Mine doesn't seem to work even without github in the role name 😢

Github action: https://github.com/gyfchong/rumblr/blob/f66285185f64529004668a8d14878bcbac4d16a6/.github/workflows/deployment.yml#L28

Failed action: https://github.com/gyfchong/rumblr/actions/runs/9625696385/job/26550841968#step:4:24

tim-finnigan commented 1 month ago

This note was added to the README:

Note: Naming your role "GitHubActions" has been reported to not work. See https://github.com/aws-actions/configure-aws-credentials/issues/953.

More investigation is needed into why a role containing "github" doesn't work and what could be done about it.

kuber- commented 1 week ago

Had the same issue. Issue being - if the assumed role name is (in our case, it was exact match) GitHub, it fails as originally reported. Renaming the role (for example, changing to gh-oidc-role) with no other changes works. A couple of interesting things,

  1. We have 3 AWS accounts and only 2 out of 3 have this issue. The third has a role name exactly GitHub and it works!
  2. All three with role name GitHub were working for many months and aforementioned two stopped working around 31 july 2024!

For reference, action is invoked as follows, 

uses: aws-actions/configure-aws-credentials@v4.0.2
with:
  role-to-assume: arn:aws:iam::xxxx:role/GitHub
  role-session-name: GitHub_to_AWS_via_FederatedOIDC