Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC not working with jobs.<job_id>.environment #1024

Closed
rkyuragi opened this issue Mar 5, 2024 · 3 comments
Closed

OIDC not working with jobs.<job_id>.environment #1024

rkyuragi opened this issue Mar 5, 2024 · 3 comments
Assignees
@tim-finnigan
Labels
bug Something isn't working response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days.

Comments

@rkyuragi
Copy link

rkyuragi commented Mar 5, 2024

Describe the bug

When specifying jobs.<job_id>.environment in the workflow, OIDC fails.

Expected Behavior

It should be able to fetch credentials using a GitHub App token from a workflow under the GitHub repo that was setup in the Identity Provider on AWS side.

Current Behavior

Executing the workflow results in the following error.

Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

image

Reproduction Steps

This occurs when executing the following workflow.
Please configure the role-to-assume according to your environment.

name: CI/CD Workflow

on:
  push:
    branches:
      - test

jobs:
  set-env:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    environment: develop
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: 'ap-northeast-1'
          role-session-name: samplerolesession
          role-to-assume: 'arn:aws:iam::xxxx:role/xxxxx'

Commenting out the above environment: develop will result in success.

Possible Solution

No response

Additional Information/Context

No response
@rkyuragi rkyuragi added bug Something isn't working needs-triage This issue still needs to be triaged labels Mar 5, 2024
@tim-finnigan tim-finnigan self-assigned this Mar 6, 2024
@tim-finnigan tim-finnigan added investigating and removed needs-triage This issue still needs to be triaged labels Mar 6, 2024
@tim-finnigan
Copy link
Contributor

Hi @rkyuragi thanks for reaching out. I tried reproducing the error given the template you provided but I was not able to - it ran successfully. There are a few other issues referencing the error that you mentioned, I wonder if this solution might help out here. Can you confirm?

@tim-finnigan tim-finnigan added response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days. and removed investigating labels Mar 6, 2024
@rkyuragi
Copy link
Author

rkyuragi commented Mar 6, 2024
edited
Loading

Hi @tim-finnigan
Thank you so much!

Your sharing of another issue helped me resolve it!
It was due to a lack of the following in the trust policy I created.

repo:OWNER/REPOSITORY:environment:NAME

If you use a workflow with an environment, the sub field must reference the environment name: repo:OWNER/REPOSITORY:environment:NAME.

document

@rkyuragi rkyuragi closed this as completed Mar 6, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 6, 2024

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tim-finnigan tim-finnigan

Labels
bug Something isn't working response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tim-finnigan @rkyuragi