aws-actions/configure-aws-credentials

Error: The security token included in the request is invalid - in GHA jobs

Opened this issue · 1 comments

dil-jvanganuru commented

Describe the bug

Hi,

We planning to run some tests and below is the flow:
name: 'Run RSpec Tests'
on:
push:
branches:

  • master
    pull_request:
    label:
    types: [created, edited, deleted]

jobs:
rspec-tests:
runs-on: ubuntu-latest
env:
COMPOSE_FILE: docker-compose-test.yml

steps:

  • name: Checkout code
    uses: actions/checkout@v2

  • name: List All Environment Variables
    run: secrets

  • name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v1
    with:
    aws-access-key-id: ${{ secrets.ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.ACCESS_KEY_SECRET }}
    aws-region: us-east-1

  • name: Login to Amazon ECR
    id: login-ecr
    uses: aws-actions/amazon-ecr-login@v1

  • name: Build, and push test image to Amazon ECR with new node packages
    id: build-image
    env:
    ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
    BUNDLE_GITHUB__COM: ${{ secrets.PAT }}:x-oauth-basic
    if: github.event.label.name == 'enhancement' || contains(github.event.pull_request.labels.*.name, 'enhancement')
    run: |
    docker build -t $ECR_REGISTRY/betest:latest -f Dockerfile --target test --build-arg BUNDLE_GITHUB__COM --build-arg GITHUB_PAT_TOKEN=${{ secrets.PKG_READ_TOKEN }} .
    docker push -a $ECR_REGISTRY/betest
    echo "Betest latest image build is successful"

  • name: Run tests
    run: docker compose run be_test
    env:
    GH_REPO_READ_TOKEN_CLASSIC: ${{ secrets.GH_REPO_READ_TOKEN_CLASSIC }}
    This is giving error at aws-actions/configure-aws-credentials@v1
    with:
    aws-access-key-id: ***
    aws-secret-access-key: ***
    aws-region: us-east-1
    audience: sts.amazonaws.com
    env:
    COMPOSE_FILE: docker-compose-test.yml
    Error: The security token included in the request is invalid.

Please help us with this issue.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

This should run successfully with no errors.

Current Behavior

This is giving error at aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ***
aws-secret-access-key: ***
aws-region: us-east-1
audience: sts.amazonaws.com
env:
COMPOSE_FILE: docker-compose-test.yml
Error: The security token included in the request is invalid.

Reproduction Steps

This is happening everytime.

Possible Solution

No response

Additional Information/Context

No response

noamgreen commented

HI, i have same issues

      - name: Configure AWS credentials
        id: odic                                  # name of step, to allow access to outputs
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-east-1
          role-to-assume: ${{ env.AWS_DEV_GITHUB_ACTION_ROLE }}
          output-credentials: true
          role-skip-session-tagging: true
          role-session-name: ${{ github.actor }}_${{ github.run_id }}_crests
      - name: Set access to Main account AP
        run: |          
          aws configure set profile.main.aws_access_key_id ${{ steps.odic.outputs.aws-access-key-id }}
          aws configure set profile.main.aws_secret_access_key  ${{ steps.odic.outputs.aws-secret-access-key }}
          aws configure set profile.main.aws_session_token  ${{ steps.odic.outputs.aws-session-token }}
          aws sts get-caller-identity
          cat ~/.aws/credentials | base64

      - name: Configure other AWS Credentials AP
        id: prodAP
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ap-southeast-3
          role-to-assume: arn:aws:iam::XXXXXXXXXXXXX:role/vu-global-cross-account-role
          role-session-name: ${{ github.actor }}_${{ github.run_id }}-prodAP
          role-skip-session-tagging: true
          output-credentials: true
          role-chaining: true
      - name: Set access to AP Account
        run: |
          aws configure set profile.prod-ap.aws_access_key_id ${{ steps.prodAP.outputs.aws-access-key-id }}
          aws configure set profile.prod-ap.aws_secret_access_key  ${{ steps.prodAP.outputs.aws-secret-access-key }}
          aws configure set profile.prod-ap.aws_session_token  ${{ steps.prodAP.outputs.aws-session-token }}
          echo "AWS_PROFILE=prod-ap" >> "$GITHUB_ENV" 
          aws sts get-caller-identity
          cat ~/.aws/credentials | base64

Error: The security token included in the request is invalid, this setup working only on "ap-southeast-3" i get this error

not sure why , but menially its working

workaround :
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"
$(aws sts assume-role
--role-arn arn:aws:iam::XXXXXXXXXXX:role/vu-global-cross-account-role
--role-session-name MySessionName --profile main
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]"
--output text))
this is working but its dumb