search

hashicorp / setup-terraform

Sets up Terraform CLI in your GitHub Actions workflow.
https://developer.hashicorp.com/terraform/tutorials/automation/github-actions
Mozilla Public License 2.0
1.37k stars 241 forks source link

Github-Actions - Unable to Assume secondary role_arn from workflow #316

Closed iamajaz closed 10 months ago

iamajaz commented 1 year ago

Description

AWS Account Information:

Github Workflow:

      - name: Configure AWS credentials from Primary AWS account
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: ${{ env.OIDC_ROLE }}
          aws-region: ${{ env.AWS_DEFAULT_REGION }}
          role-session-name: GitHub-Actions-Builds-OIDC-Terraform

      - name: Setup Terraform Backend on the fly
        working-directory: ${{ env.WORKING_DIR }}
        id: backend
        run: |
          cat > backend.tf << EOF
          terraform {
            backend "s3" {
              bucket         = "${{ env.BUCKET_NAME }}"
              key            = "${{ env.STATE_PREFIX }}/${{ env.AWS_DEFAULT_REGION }}/policies.tfstate"
              role_arn       = "${{ env.BUILDS_ROLE }}"
              region         = "${{ env.AWS_DEFAULT_REGION }}"
              dynamodb_table = "${{ env.DYNAMODB_TABLE }}"
            }
          }
          EOF

      - name: Terraform Init
        working-directory: ${{ env.WORKING_DIR }}
        id: init
        run: |
          git config --global url."https://oauth2:$token@github.com/chargebee/cb-tf-modules.git".insteadOf "ssh://git@github.com/chargebee/cb-tf-modules.git"
          terraform init --reconfigure
        env: 
          token: ${{ secrets.CI_GITHUB_READ_ONLY_TOKEN }}

Issue:

Error:

╷
│ Error: error configuring S3 Backend: IAM Role (arn:aws:iam::123427971234:role/builds-terraform-backend-assume-role) cannot be assumed.
│ 
│ There are a number of possible causes of this - the most common are:
│   * The credentials used in order to assume the role are invalid
│   * The credentials do not have appropriate permission to assume the role
│   * The role ARN is not valid
│ 
│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│   For verbose messaging see aws.Config.CredentialsChainVerboseErrors

What I did

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::678927976789:root"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::678927976789:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:sampler-terra/templates:*",
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Desired Output:

bflad commented 10 months ago

Hi @iamajaz 👋 Thank you for raising this and sorry you are running into trouble here. Please note that this GitHub repository's issue tracker is only used for feature requests and bug reports for the setup-terraform GitHub action itself. Since this appears to be a Terraform S3 backend question, my best recommendation would be to submit a topic in the Terraform section of HashiCorp Discuss, where there are many more people asking and answering usage questions such as these.

github-actions[bot] commented 4 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.