OIDC not working with GitHub App

[AlissonRS]

Describe the bug

When trying to configure aws credentials setting the GITHUB_TOKEN env var using a GitHub App token, the action fails to fetch credentials with the error below:

It looks like you might be trying to authenticate with OIDC. Did you mean to set the id-token permission? If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.

The GitHub App is installed in the Organization and has the permissions required.

If I don't set the GITHUB_TOKEN and instead just add the usual permissions with id-token on the job, it works fine, but adding a permissions on the job makes it not possible to set GITHUB_TOKEN for other steps that need the GitHub App token instead of the temp token created by the workflow.

My workaround was to split my workflow into multiple jobs, so now I have an isolated job for configure-aws-credentials and other steps related to AWS (e.g. push docker image to ECR), but this is a bit tedious as now I need to checkout the code for every job, properly share outputs, using a single job was more convenient.

Another idea would be to just use assume role with static IAM credentials (e.g. access key and secret), but that's not the recommended way.

Expected Behavior

It should be able to fetch credentials using a GitHub App token from a workflow under the GitHub repo that was setup in the Identity Provider on AWS side.

Current Behavior

It fails to find the credentials.

Reproduction Steps

The workflow looks like this:

    steps:
      - name: Generate a token
        id: generate_token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        env:
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
        with:
          role-to-assume: ${{ vars.AWS_GITHUB_ROLE_ARN }}
          aws-region: us-east-1

Possible Solution

I think by overriding the GITHUB_TOKEN, somehow AWS thinks the request is not coming from the authorized GitHub Repo, so perhaps this is a matter of actions/create-github-app-token@v1 having to support a way to generate a token on behalf of the organization (or user that triggered the workflow?).

So it's not clear if this issue can be fixed on this action.

Additional Information/Context

No response

[tim-finnigan]

Thanks for reaching out. This looks like it may be related to past issues such as https://github.com/aws-actions/configure-aws-credentials/issues/373. Are the comments here or here helpful? Not sure if https://github.com/actions/create-github-app-token or somewhere else might be a better place for this discussion.

[AlissonRS]

@tim-finnigan thanks for the quick reply.

I'm afraid my issue is not related to the links you shared, as that one is not related to using GitHub App for authentication, they are using public repo forks, and I'm using private repos without forks.

I posted here insteadd of the "create-github-app-token" repo because that error message is coming from this action, also other actions work fine with the token generated by the "create-github-app-token" action.

[AlissonRS]

@tim-finnigan I went through this action's code, and figured that you validate if the ACTIONS_ID_TOKEN_REQUEST_TOKEN env var is set, otherwise the @actions/core action would fail anyway since it requires those packages.

So I logged an issue on create-github-app-token to better understand, maybe they just need to set this env var - as well as ACTIONS_ID_TOKEN_REQUEST_URL - so all of this works seamlessly.

I let this issue opened so you can see my comment, but feel free to close it.

Thanks for your help!!!

[github-actions[bot]]

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one.