Closed
Description
Describe the bug
Trying to use the Github OIDC--> AWS IAM role workflow and it fails with the error.
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
workflow_dispatch:
env:
AWS_REGION: us-east-1
ECR_REPOSITORY: xzy-v123
IMAGE_TAG: ${{ github.sha }}
permissions:
id-token: write
contents: read
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: ${{ env.AWS_REGION }}
Fails with below error:
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity
AWS IAM Role Trust Policy:
AWS IAM role name: arn:aws:iam::xxxxxxxxx:role/GitHubActions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::xxxxxxxx:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:sub": "repo:MyOrg/xzy-v123:ref:refs/heads/*",
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
}
What is the issue , please help !
Regression Issue
- Select this option if this issue appears to be a regression.
Expected Behavior
We should be able to authenticate using the AWS IAM role to via Github OIDC to access AWS Resources.
Current Behavior
Failing to authenticate to AWS via the IAM role given in github actions workflow.
Reproduction Steps
Use the above mechanisms to create role + Actions to authenticate
Possible Solution
No response
Additional Information/Context
No response