aws-actions/configure-aws-credentials

OIDC: Can't assume role containing "github"

bbergeron0 opened this issue · 5 comments

bbergeron0 commented

Describe the bug

Just like #953, OIDC seems to break down when the IAM role contains "GitHub." The runner couldn't assume the role of "github-action-deploy-to-staging" or "test-github-cicd," but assumed the role of "deploy-to-staging" without a hic, with the only difference between these roles being their name. After finding the aforementioned issue, I gave the solution a try and it worked.

Expected Behavior

I expect it to work even if the role contains "github".

Current Behavior

In GH action logs:

Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
...
Assuming role with OIDC
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

Reproduction Steps

As I said, the role must contains "github" to fail. Here's the failing step in question; (Also, permissions.id-token = write)

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: arn:aws:iam::[redacted]:role/github-said-hi
        role-session-name: samplerolesession
        aws-region: ${{ env.AWS_REGION }}

Possible Solution

#954 suggested to "either highlighting this restricted role name in the documentation, or fixing the issue preventing use of this role name." I'd like to vote for the second option this time around ;)

Additional Information/Context

No response

tim-finnigan commented

This note was added to the README:

Note: Naming your role "GitHubActions" has been reported to not work. See #953.

More investigation is needed into why a role containing "github" doesn't work and what could be done about it.

  • 👍1