Credentials obtained through OIDC cannot be refreshed

[christopher-dG]

This action gets credentials by requesting a web identity token and using it directly to generate temporary credentials, and exports those temporary credentials as environment variables. The web identity token itself is not persisted in any way. This means that there's no way for an AWS SDK to refresh the credentials if they expire.

The action should at least be saving the token to a file and exporting its path as AWS_WEB_IDENTITY_TOKEN_FILE, that way if the temporary credentials expire, then new ones can be obtained by an AWS SDK (I'm not sure if they'll properly handle throwing away the expired credentials, i.e. a subprocess can't shred environment variables that its parent process has, but maybe something like the CLI would still generate new credentials and just not export them).

Ideally we wouldn't obtain any temporary credentials so that the SDKs can handle it all themselves, but that might be an overly breaking change.

I wrote a little workaround action here that I'll be using in case I actually do need indefinitely refreshing credentials.

[lorengordon]

Related:

• Trying to use webIdentityTokenFile results in Credentials could not be loaded error #124
• Assume Role with OIDC with more than 1 hour #354

[peterwoodworth]

@christopher-dG Do you know of a way to reproduce a scenario where I would need to refresh my credentials before my role times out? I'd like to get this fixed up but need to reproduce the scenario first

[christopher-dG]

Start with this action, then run: sleep 3h && aws sts get-caller-identity (or sleep for whatever the default session length is + a minute)

[christopher-dG]

Oh sorry misunderstood your question. Basically any time that you're running a workflow that takes more than an hour, such as a really long s3 upload or something.

[peterwoodworth]

Thanks @christopher-dG, I'm still unable to reproduce this issue by sleeping (I tried sleeping for four hours, and currently have an action that's sleeping for 7 and a half hours). However, I don't really need to reproduce this to verify that storing the token in a local file is something we can support.

It would be great if a community member could submit a PR for this, we might not be able to address this issue on our own soon!

[skeggse]

I'd assumed that the temporary credentials provided by AssumeRoleWithWebIdentity would be limited to one hour due to role chaining, but I guess that rule doesn't apply - increasing my role to more than an hour worked! It'd still be great to let SDKs automatically refresh the credentials for jobs that run for longer than 12h, but that seems like a relatively rare case.

[Ganiredi]

@skeggse How you are able to increase the expiration time ?Thanks

[arianvp]

I would love to see Christopher's approach in this action.

How about an input:

set-web-identity-token-file: true

to opt in to this behaviour?

[arianvp]

Giving this more thought this needs more care to be implemented

the id token that Github Actions returns is only valid for 300 seconds. Way shorter than the duration of your average IAM Role. So refreshing using web_identity_token_file isn't really possible unless you also keep refreshing the ID token in the background too.