No OpenIDConnect provider found in your account for https://token.actions.githubusercontent.com

[srinivasuluparanduru]

Describe the bug

AssumeRoleAndCallIdentity
No OpenIDConnect provider found in your account for https://token.actions.githubusercontent.com

Expected Behavior

Able to authenticate and proceed further

Current Behavior

Reproduce as it is using Githubactions using the link -https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/

Getting Error as AssumeRoleAndCallIdentity
No OpenIDConnect provider found in your account for https://token.actions.githubusercontent.com

Reproduction Steps

terrafrom.yml

on:
workflow_dispatch:

env:

AWS_REGION : us-west-2 #Change to reflect your Region

Permission can be added at job level or workflow level

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
AssumeRoleAndCallIdentity:
runs-on: ubuntu-latest
steps:
- name: Git clone the repository
uses: actions/checkout@v3
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::*********:role/GitHubAction-AssumeRoleWithAction-S3FullAccess #change to reflect your IAM role’s ARN
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ env.AWS_REGION }}
role-skip-session-tagging: true
# Hello from AWS: WhoAmI
- name: Sts GetCallerIdentity
run: |
aws sts get-caller-identity

---

2. IAM Role : GitHubAction-AssumeRoleWithAction-S3FullAccess

Trusted relationship : {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::****** :oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.GitHubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:sub": "repo:SriniFreelanceProjects/GitHubActions_AWS_TF_AssumeRole:*"
}
}
}
]
}

---

3. Followed the steps as it is - https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
4. After running the workflow and i am getting error as

No OpenIDConnect provider found in your account for https://token.actions.githubusercontent.com

cant able to resolve the issue

Possible Solution

No response

Additional Information/Context

Seems the same error occured long based on pull request and its repeating once again. Please help to resolve the issue

[appleboy]

Please see the GitHub documentation https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

{
					Effect: pulumi.StringRef("Allow"),
					Actions: []string{
						"sts:AssumeRoleWithWebIdentity",
					},
					Principals: []iam.GetPolicyDocumentStatementPrincipal{
						{
							Type: "Federated",
							Identifiers: []string{
								"arn:aws:iam::xxxxxxxxxxx:oidc-provider/token.actions.githubusercontent.com",
							},
						},
					},
					Conditions: []iam.GetPolicyDocumentStatementCondition{
						{
							Test:     "StringLike",
							Variable: "token.actions.githubusercontent.com:sub",
							Values: []string{
								"repo:go-training/golang-in-ecr-ecs:*",
							},
						},
						{
							Test:     "StringEquals",
							Variable: "token.actions.githubusercontent.com:aud",
							Values: []string{
								"sts.amazonaws.com",
							},
						},
					},
				},

Please note that the values of Identifiers are case-sensitive. If you type one letter incorrectly, the problem mentioned above may occur. Please check in this direction.

[srinivasuluparanduru]

Followed the similar manner
Made my repo as public and repo link given below
Repo link - https://github.com/cloudteachable/githubactions_aws_tf_assumerole

Error info : https://github.com/cloudteachable/githubactions_aws_tf_assumerole/actions/runs/4940078525

AssumeRoleAndCallIdentity
No OpenIDConnect provider found in your account for https://token.actions.githubusercontent.com

IAM Role :

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::***** :oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:github.com/cloudteachable/githubactions_aws_tf_assumerole:*"
},
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
}

---

Still the same error is coming and any help will be appreciated.

[LeviticusMatusius]

your StringLike condition includes the github.com/ prefix. If should not. It should just be "repo:cloudteachable/githubactions_aws_tf_assumerole:*"

Furthermore I'm not sure if today's Actions incident has been messing with the token exchanges between AWS and GitHub, but I've noticed auth failures today that I was not having previously and I'm attributing it to that. That is to say that you may not have much luck right now. Perhaps someone who knows more can chime in on that.

[srinivasuluparanduru]

thanks for the help and resolved the issue and closing the ticket

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[asvataa]

@srinivasuluparanduru I have same issue now, what helped for you?

[srinivasuluparanduru]

had issue in configuring the role properly and above comments fixed in my case.

[glaudiston]

In my case it failed because I was using environment secrets instead of vars to store the aws ci role arn. After changing it to use vars it works as expected.