Using organization environment variables for `role-to-assume` is empty

Question

Using organization environment variables for `role-to-assume` is empty

farvour opened this issue 10 months ago · 2 comments

Describe the bug

When I try to pass in a value for the role-to-assume input using a value from the organization environment variables as opposed to the organization secrets, it ends up being blank which causes the process to fail. This happened with both the v3 and v4 versions.

Run aws-actions/configure-aws-credentials@v4
with:
role-duration-seconds: 1800
aws-region: us-west-2
audience: sts.amazonaws.com
env:
AWS_DEFAULT_REGION: ***
AWS_REGION: ***
AWS_ACCESS_KEY_ID: ***
AWS_SECRET_ACCESS_KEY: ***
AWS_SESSION_TOKEN: ***

Expected Behavior

I expect the value for role-to-assume to be provided and allow the OIDC connector to AWS to work.

Current Behavior

The value for role-to-assume remains empty which subsequently means it can't ask the OIDC identity endpoint for the right role to use.

Reproduction Steps

First, define the two organization environment variables:

CI_AWS_IAM_ROLE_ARN
AWS_DEFAULT_ROLE_DURATION_SECS

Then, create an action job that does:

# This is required for build-time secrets to be pulled from AWS Secrets Manager.
- run: echo "Value for role-to-assume should be ${{ env.CI_AWS_IAM_ROLE_ARN }}"
- uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: ${{ env.CI_AWS_IAM_ROLE_ARN }}
    role-duration-seconds: ${{ env.AWS_DEFAULT_ROLE_DURATION_SECS }} # The TTL of the session, in seconds.
    aws-region: us-west-2

Possible Solution

No response

Additional Information/Context

I am using self-hosted runners, and I recall reading somewhere that it can create certain problems with some actions trying to use inputs from environment variables... I was not sure why that would happen here, considering the value for AWS_DEFAULT_ROLE_DURATION_SECS exists, but the other does not despite them being available.

Answer 1 · 2024-01-24T23:47:01.000Z

Ahoy! I guess I was a bit premature here and there was one thing I failed to read was the full doc on GitHub Variables. I realized in the past I must have been setting env vars based off of these configuration variables and in this workflow it was an empty value.

with ${{ vars.CI_AWS_IAM_ROLE_ARN }} directly it is working.

I will close this.

Answer 2 · 2024-01-24T23:47:19.000Z

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.