Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Credential problem for usecase of Github Actions OIDC federated IAM Role

See original GitHub issue

This article AWS federation comes to GitHub Actions explains we can use OIDC federated IAM Role in github actions workflow.

But now I got this error with aws-actions/aws-codebuild-run-build@v1.

Error: No credentials. Try adding @aws-actions/configure-aws-credentials earlier in your job to set up AWS credentials.

Simply comment out this assert, it works well. https://github.com/aws-actions/aws-codebuild-run-build/blob/8945a85e94fd346070a0d8a28da303dbdd80b4bf/code-build.js#L228_L230

 assert(
    codeBuild.config.credentials && cloudWatchLogs.config.credentials,
    "No credentials. Try adding @aws-actions/configure-aws-credentials earlier in your job to set up AWS credentials."
  );

so for the moment I suggest just log this not assert but warning.

Issue Analytics

State:
Created 2 years ago
Comments:5

Top GitHub Comments

1reaction

celliottcommented, Sep 22, 2021

@takaaki-inada I’m glad to help. I spent a little more time today and found a much cleaner way to use oidc to get sts aws creds. This has been tested with aws-actions/aws-codebuild-run-build@v1.0.4

name: GitHub Action AWS OIDC STS Creds
on:
  workflow_dispatch: {}
  pull_request: {}
concurrency: ${{ github.repository }}-github-action
env:
  AWS_ROLE_ARN: arn:aws:iam::0123456789012:role/ExampleGithubRole
  AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/awstoken
  AWS_REGION: us-east-1
jobs:
  plan:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Set Environment Variables
        run: echo "REPO_NAME=${GITHUB_REPOSITORY#*\/}" >> $GITHUB_ENV
      - name: Get AWS Credentials Using OIDC
        run: |
          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@master
        with:
          aws-region: ${{ env.AWS_REGION }}
          web-identity-token-file: ${{ env.AWS_WEB_IDENTITY_TOKEN_FILE }}
          role-to-assume: ${{ env.AWS_ROLE_ARN }}
          role-duration-seconds: 1800
          role-session-name: ${{ env.REPO_NAME }}-github-action
      - name: AWS Get Caller Identity
        run: aws sts get-caller-identity

1reaction

celliottcommented, Sep 17, 2021

Here is a workaround until this issue is addressed. Not super clean but it does get sts creds with assume-role-with-web-identity and works with aws-codebuild-run-build. I followed the same post AWS federation comes to GitHub Actions for setting up my OIDC provider and IAM role with federated trust policy. Although, I used Terraform instead of CloudFormation.

- name: Get AWS Credentials Using OIDC
  id: aws_sts_creds
  run: |
    export AWS_ROLE_ARN=arn:aws:iam::0123456789012:role/ExampleGithubRole
    export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/awscreds
    export AWS_DEFAULT_REGION=us-east-1

    curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE

    aws sts assume-role-with-web-identity \
      --role-arn $AWS_ROLE_ARN \
      --role-session-name github-actions \
      --web-identity-token file://$AWS_WEB_IDENTITY_TOKEN_FILE \
      --duration-seconds 1000 > /tmp/aws-creds

    export AWS_ACCESS_KEY_ID="$(cat /tmp/aws-creds | jq -r ".Credentials.AccessKeyId")"
    export AWS_SECRET_ACCESS_KEY="$(cat /tmp/aws-creds | jq -r ".Credentials.SecretAccessKey")"
    export AWS_SESSION_TOKEN="$(cat /tmp/aws-creds | jq -r ".Credentials.SessionToken")"

    echo ::add-mask::$AWS_ACCESS_KEY_ID
    echo ::add-mask::$AWS_SECRET_ACCESS_KEY
    echo ::add-mask::$AWS_SESSION_TOKEN

    echo ::set-output name=aws_access_key_id::$AWS_ACCESS_KEY_ID
    echo ::set-output name=aws_secret_access_key::$AWS_SECRET_ACCESS_KEY
    echo ::set-output name=aws_session_token::$AWS_SESSION_TOKEN
    echo ::set-output name=aws_default_region::$AWS_DEFAULT_REGION

- name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-access-key-id: ${{ steps.aws_sts_creds.outputs.aws_access_key_id }}
    aws-secret-access-key: ${{ steps.aws_sts_creds.outputs.aws_secret_access_key }}
    aws-session-token: ${{ steps.aws_sts_creds.outputs.aws_session_token }}
    aws-region: ${{ steps.aws_sts_creds.outputs.aws_default_region }}

Top Results From Across the Web

OIDC Token claims issue in AWS if we have ... - GitHub

If we want to create an IAM role for main branch and one role for all other branches. The way to do this...

Same Github Action works on push but not on ...

The problem I'm seeing is that configure-aws-credentials works on push events but fails when triggered by pull_request_review with the message ...

Cannot match actor tag when using OIDC #306 - GitHub

I'm trying to match the GITHUB_ACTOR in my IAM trust relationship policy and cannot make it work. Is this supposed to work?

Using aws-role-to-assume causes start to fail #10 - GitHub

Hi, When I use aws-role-to-assume I get: "Error: Credentials could not be loaded, please check your action inputs: Could not load ...

Configuring OpenID Connect in Amazon Web Services

OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in Amazon Web Services (AWS), without needing to store the AWS credentials...