Bug: Use-STSRoleWithWebIdentity Returns No Credentials in PowerShell (Only Expiration field is Returned)

[dotNetNaji]

Describe the bug

Issue Description: I am encountering an issue with the Use-STSRoleWithWebIdentity cmdlet in AWS Tools for PowerShell when running it in a Bitbucket Pipeline. The cmdlet returns an object that contains ONLY the Expirationvalue. The AWS CLI, using the same parameters (role ARN, web identity token, session name, etc.), works as expected and returns the full credentials (AccessKeyId, SecretAccessKey, and SessionToken).

Regression Issue

• [ ] Select this option if this issue appears to be a regression.

Expected Behavior

The Use-STSRoleWithWebIdentity cmdlet should return the full credentials (similar to the AWS CLI), including the AccessKeyId, SecretAccessKey, and SessionToken.

Current Behavior

The Credentialsobject in the response contains only the Expiration field. No errors or exceptions are thrown, but the complete credentials are missing from the response.

Reproduction Steps

Environment: Bitbucket Pipeline (using mcr.microsoft.com/dotnet/sdk:8.0 image) AWS Tools for PowerShell version: 4.1.680 PowerShell version: 7.5.4 AWS region: eu-west-1

PowerShell Code: (Running inside a bitbucket pipeline)

$stsResponse = Use-STSRoleWithWebIdentity `
        -RoleArn $env:PIPELINE_ROLE_ARN `
        -RoleSessionName "build-session" `
        -WebIdentityToken $env:BITBUCKET_STEP_OIDC_TOKEN `
        -DurationSeconds 3600

    # Output response to verify
    $stsResponse | ConvertTo-Json -Depth 10 | Write-Host

Output :

{
  "Expiration": "2024-10-18T20:27:47+00:00"
}

AWS CLI Command (Works as expected):

aws sts assume-role-with-web-identity \
      --role-arn $PIPELINE_ROLE_ARN \
      --role-session-name session-name \
      --web-identity-token $BITBUCKET_STEP_OIDC_TOKEN \
      --duration-seconds 3600

CLI output

{
  "Credentials": {
    "AccessKeyId": "AKIA...",
    "SecretAccessKey": "wJalrX...",
    "SessionToken": "IQoJb...",
    "Expiration": "2024-10-18T20:27:47+00:00"
  },
  "AssumedRoleUser": {
    "AssumedRoleId": "AROAXXXXXXXXXXXX:build-session",
    "Arn": "arn:aws:sts::XXXXXXXXXX:assumed-role/my-role/build-session"
  }
}

Possible Solution

No response

Additional Information/Context

Bitbucket Pipelines OIDC is configured correctly as the AWS CLI works without issue. No errors or exceptions are thrown in PowerShell; it simply returns an object with only Expiration field.

AWS Tools for PowerShell version used

Name : AWS.Tools.Common Version : 4.1.680

Name : AWS.Tools.SecurityToken Version : 4.1.680

PowerShell version used

Major : 7 Minor : 4 Patch : 5 PreReleaseLabel : BuildLabel :

Operating System and version

Ubuntu

[bhoradc]

Hello @dotNetNaji,

Thank you for reporting this issue. It appears that you are using a custom cmdlet Use-STSRoleWithWebIdentity?

Use-STSRoleWithWebIdentity doesn't seem a cmdlet provided by the AWS Tools for PowerShell. The official cmdlet for assuming a role with web identity credentials is Use-STSWebIdentityRole, which is part of the AWS.Tools.SecurityToken module within the AWS Tools for PowerShell package.

Can you please confirm if you are experiencing similar issue when using the Use-STSWebIdentityRole cmdlet. This should call the AWS STS AssumeRoleWithWebIdentity API operation.

In this case, I am unsure why Use-STSRoleWithWebIdentity would return a null response. However, if you continue to experience issues with the official Use-STSWebIdentityRole cmdlet, please let us know.

Regards, Chaitanya

[dotNetNaji]

Hello @bhoradc,

I can confirm that I'm facing the same issue with Use-STSWebIdentityRole cmdlet.

[dotNetNaji]

Hello @bhoradc, any updates on this ?

[ashishdhingra]

Hello @bhoradc, any updates on this ?

@dotNetNaji I will try to review this tomorrow and discuss with the team accordingly.