To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect.

Question

To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect.

mattpopa opened this issue 10 months ago · 7 comments

Describe the bug

While using self-hosted runners, which already use OIDC for EKS AWS auth, the following warning is issues

To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. See https://s12d.com/gha-oidc-aws for more information.

Expected Behavior

While already using OIDC on self-hosted runners on EKS, we should not be getting warnings about not using OIDC

like so

To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. See https://s12d.com/gha-oidc-aws for more information.

Current Behavior

Getting this warning everytime even though we are using OIDC on our self-hosted runners in AWS EKS

To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. See https://s12d.com/gha-oidc-aws for more information.

Reproduction Steps

Using self-hosted runners on EKS, github actions controller + scale sets, EKS OIDC setup for runner pods

steps:
  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: ${{ secrets.PROD_AWS_ROLE_TO_ASSUME }}
      role-duration-seconds: ${{ env.AWS_ROLE_DURATION }}
      aws-region: ${{ env.AWS_REGION }}

getting

To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. See https://s12d.com/gha-oidc-aws for more information.

Possible Solution

suppress the warning

To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. See https://s12d.com/gha-oidc-aws for more information.

this happens since updating the action to v4 for the node deprecation

Additional Information/Context

No response

Answer 1 · 2024-01-31T15:22:40.000Z

Hi @mattpopa thanks for reaching out. We removed that warning here: #926. I couldn't reproduce the warning when testing but I may be missing some steps, are there any other details you can share regarding this?

Answer 2 · 2024-01-31T15:24:42.000Z

Hi @mattpopa thanks for reaching out. We removed that warning here: #926. I couldn't reproduce the warning when testing but I may be missing some steps, are there any other details you can share regarding this?

Any visibility on when this will be added to v4 ?

Answer 3 · 2024-02-01T15:39:44.000Z

Hi @mattpopa thanks for reaching out. We removed that warning here: #926. I couldn't reproduce the warning when testing but I may be missing some steps, are there any other details you can share regarding this?

Thanks for replying. I don't see that change inside v4

git tag --contains 6129f329e60ccdcc69cae650f925172621807647

Let us know if there's a plan to update v4 to include that change.

Answer 4 · 2024-02-05T01:49:42.000Z

Hi, I'm facing the same issue. It looks reverted on the following PR.
#871

Our environment are using sts:AssumeRole (without long-term credentials), but showing the warning.

Answer 5 · 2024-02-07T00:28:31.000Z

Thanks for following up - just released 4.0.2 and pointed v4 to include latest changes, so the warning should now be removed: https://github.com/aws-actions/configure-aws-credentials/releases.

Answer 6 · 2024-02-07T02:00:06.000Z

@tim-finnigan Hi, I checked the v4.0.2 that doesn't showing the warning when I use sts:AssumeRole (without IAM access key) on self-hosted runner.

Answer 7 · 2024-02-09T23:15:58.000Z

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.