aws-actions / configure-aws-credentials

Configure AWS credential environment variables for use in other GitHub Actions.
MIT License
2.47k stars 471 forks source link

Error: The security token included in the request is invalid - in GHA jobs #1190

Open dil-jvanganuru opened 6 days ago

dil-jvanganuru commented 6 days ago

Describe the bug

Hi,

We planning to run some tests and below is the flow: name: 'Run RSpec Tests' on: push: branches:

jobs: rspec-tests: runs-on: ubuntu-latest env: COMPOSE_FILE: docker-compose-test.yml

steps:

Please help us with this issue.

Regression Issue

Expected Behavior

This should run successfully with no errors.

Current Behavior

This is giving error at aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: aws-secret-access-key: aws-region: us-east-1 audience: sts.amazonaws.com env: COMPOSE_FILE: docker-compose-test.yml Error: The security token included in the request is invalid.

Reproduction Steps

This is happening everytime.

Possible Solution

No response

Additional Information/Context

No response

noamgreen commented 1 day ago

HI, i have same issues

      - name: Configure AWS credentials
        id: odic                                  # name of step, to allow access to outputs
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-east-1
          role-to-assume: ${{ env.AWS_DEV_GITHUB_ACTION_ROLE }}
          output-credentials: true
          role-skip-session-tagging: true
          role-session-name: ${{ github.actor }}_${{ github.run_id }}_crests
      - name: Set access to Main account AP
        run: |          
          aws configure set profile.main.aws_access_key_id ${{ steps.odic.outputs.aws-access-key-id }}
          aws configure set profile.main.aws_secret_access_key  ${{ steps.odic.outputs.aws-secret-access-key }}
          aws configure set profile.main.aws_session_token  ${{ steps.odic.outputs.aws-session-token }}
          aws sts get-caller-identity
          cat ~/.aws/credentials | base64

      - name: Configure other AWS Credentials AP
        id: prodAP
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ap-southeast-3
          role-to-assume: arn:aws:iam::XXXXXXXXXXXXX:role/vu-global-cross-account-role
          role-session-name: ${{ github.actor }}_${{ github.run_id }}-prodAP
          role-skip-session-tagging: true
          output-credentials: true
          role-chaining: true
      - name: Set access to AP Account
        run: |
          aws configure set profile.prod-ap.aws_access_key_id ${{ steps.prodAP.outputs.aws-access-key-id }}
          aws configure set profile.prod-ap.aws_secret_access_key  ${{ steps.prodAP.outputs.aws-secret-access-key }}
          aws configure set profile.prod-ap.aws_session_token  ${{ steps.prodAP.outputs.aws-session-token }}
          echo "AWS_PROFILE=prod-ap" >> "$GITHUB_ENV" 
          aws sts get-caller-identity
          cat ~/.aws/credentials | base64

Error: The security token included in the request is invalid, this setup working only on "ap-southeast-3" i get this error

not sure why , but menially its working

workaround : export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \ $(aws sts assume-role \ --role-arn arn:aws:iam::XXXXXXXXXXX:role/vu-global-cross-account-role \ --role-session-name MySessionName --profile main \ --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ --output text)) this is working but its dumb