Failed login with OIDC provider since v3 upgrade "Could not load credentials from any providers"

[casstait-vgw]

Describe the bug

Currently use this action at v2 with success using an OIDC provider to authenticate.

Would heartily like to upgrade this action however attempts of upgrading to v3 and v4 are not successful. Can successfully authenticate with the assumed role as shown below however cannot continue as met with an error.

Expected Behavior

Expect successful login using OIDC as we can with v2 of this action.

Current Behavior

Successful authentication with assumed role using OIDC but credentials unable to be loaded for the action.

Reproduction Steps

Current workflow snippet

on:
  schedule:
    - cron: '30 22 * * 0'
  workflow_dispatch:

permissions:
  contents: read
  id-token: write
  pull-requests: write

jobs:
  job-name:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume:  'arn:aws:iam::xxx:role/dev-github-actions-read'
          aws-region: 'eu-west-1'
          mask-aws-account-id: 'no'

IAM trust relationship on role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::xxxx:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "ForAnyValue:StringLike": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:<org>/<repo>:environment:<env>",
                        "repo:<org>/<repo>:ref:refs/heads/main",
                        "repo:<org>/<repo>:ref:refs/tags/*",
                        "repo:<org>/<repo>:pull_request"
                    ]
                }
            }
        }
    ]
}

Possible Solution

No response

Additional Information/Context

No response

[agoose77]

I'm also seeing this over at Awkward Array: https://github.com/scikit-hep/awkward/actions/runs/6302675659/job/17110771652?pr=2721

Does anyone have any ideas what's causing the regression?

[chalbersma]

Did you ever see a fix for this?

[agoose77]

It's working in production for us now: https://github.com/scikit-hep/awkward/blob/217b3ea531004ef800d76908f5030447a78f6bbd/.github/workflows/docs.yml#L358-L373

[chalbersma]

It's working in production for us now: https://github.com/scikit-hep/awkward/blob/217b3ea531004ef800d76908f5030447a78f6bbd/.github/workflows/docs.yml#L358-L373

Thanks! I thought I was experiencing an error that might have been the same as this; but it ended up being a PEBCAK error.

[casstait-vgw]

This is still showing the same behaviour in our workflow unfortunately.

[Inmovilizame]

Happening to our company too. Weird behaviour is that we have the same OIDC setup (managed though terraform) in various accounts, one of them is working correctly and other 2 shows this behaviour.

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v3
        with:
          role-to-assume: ${{ secrets[steps.aws_role_name.outputs.rolename] }}
          role-session-name: "deploy_coach_${{github.event.inputs.environment}}"
          aws-region: ${{ env.STATE_REGION }}

---

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v3
        with:
          role-to-assume: ${{ secrets[steps.aws_role_name.outputs.rolename] }}
          role-session-name: "deploy_coach_${{github.event.inputs.environment}}"
          aws-region: ${{ env.STATE_REGION }}