search

aws / aws-toolkit-azure-devops

AWS Toolkit for Azure DevOps
Other
249 stars 104 forks source link

Classic S3 Upload Task fails when using Service Connection configured to use OIDC authentication #565

Open swansonaj opened 2 months ago

swansonaj commented 2 months ago

Describe the bug Many of our customer still use Classic Azure DevOps pipelines (as opposed to YAML pipelines) and therefore the classic tasks that come with the AWS Toolkit for Azure DevOps are also used. While trying a conversion of one of these pipelines to use a Service Connection with OIDC authentication enabled I can't seem to get past the following error: "Failed to assume role with OIDC: Error: System.AccessToken is undefined."

Here's a log excerpt with error in context:

Content uploads are performed using S3's PutObject API and/or the multi-part upload APIs. The specific APIs used depend on the size of the individual files being uploaded.
2024-08-30T20:12:30.8854418Z ==============================================================================
2024-08-30T20:12:31.5474060Z Configuring credentials for task
2024-08-30T20:12:31.5480739Z ...configuring AWS credentials from service endpoint '7e45a58e-redacted'
2024-08-30T20:12:31.5480974Z Skipping Instance profile, we have OIDC enabled
2024-08-30T20:12:31.5491876Z ...configuring AWS credentials from service endpoint '7e45a58e-redacted'
2024-08-30T20:12:31.5493003Z Getting OIDC Token...
2024-08-30T20:12:31.5499826Z Failed to assume role with OIDC: Error: System.AccessToken is undefined
.
.
.

To reproduce

  1. Create an AWS Service Connection with "Use OIDC" enabled
  2. Create a classic Azure DevOps pipeline with an S3 Upload task in it and configure that task to use the service connection from step 1
  3. Run the pipeline it will fail

Expected behavior The S3 Upload task should work

Screenshots

2024-08-30 16-05-42_cfn-poc-cfn-release - Release-7 - Pipelines

Your Environment

Additional context I tried the S3 Upload tasks using a YAML pipeline (same service connection and target S3 bucket) and it worked!

shillam commented 3 weeks ago

Same issue here with ECR Push Image:

Getting OIDC Token...
Failed to assume role with OIDC: Error: System.AccessToken is undefined