Open bbergeron0 opened 2 months ago
Mine doesn't seem to work even without github
in the role name 😢
Github action: https://github.com/gyfchong/rumblr/blob/f66285185f64529004668a8d14878bcbac4d16a6/.github/workflows/deployment.yml#L28
Failed action: https://github.com/gyfchong/rumblr/actions/runs/9625696385/job/26550841968#step:4:24
This note was added to the README:
Note: Naming your role "GitHubActions" has been reported to not work. See https://github.com/aws-actions/configure-aws-credentials/issues/953.
More investigation is needed into why a role containing "github" doesn't work and what could be done about it.
Had the same issue. Issue being - if the assumed role name is (in our case, it was exact match) GitHub, it fails as originally reported. Renaming the role (for example, changing to gh-oidc-role) with no other changes works. A couple of interesting things,
For reference, action is invoked as follows,
uses: aws-actions/configure-aws-credentials@v4.0.2
with:
role-to-assume: arn:aws:iam::xxxx:role/GitHub
role-session-name: GitHub_to_AWS_via_FederatedOIDC
Describe the bug
Just like #953, OIDC seems to break down when the IAM role contains "GitHub." The runner couldn't assume the role of "github-action-deploy-to-staging" or "test-github-cicd," but assumed the role of "deploy-to-staging" without a hic, with the only difference between these roles being their name. After finding the aforementioned issue, I gave the solution a try and it worked.
Expected Behavior
I expect it to work even if the role contains "github".
Current Behavior
In GH action logs:
Reproduction Steps
As I said, the role must contains "github" to fail. Here's the failing step in question; (Also, permissions.id-token = write)
Possible Solution
954 suggested to "either highlighting this restricted role name in the documentation, or fixing the issue preventing use of this role name." I'd like to vote for the second option this time around ;)
Additional Information/Context
No response