Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use in reusable workflow: Error: The security token included in the request is invalid. #383

Closed
choffa opened this issue Feb 13, 2022 · 10 comments
Closed

Unable to use in reusable workflow: Error: The security token included in the request is invalid. #383

choffa opened this issue Feb 13, 2022 · 10 comments
Labels
bug Something isn't working effort/medium This issue will take a few days of effort to fix p2

Comments

@choffa
Copy link

choffa commented Feb 13, 2022

I have been trying to use this action in a reusable workflow. Whenever I try to I get an Error: The security token included in the request is invalid. My motivation for using the action in this way, is to be able to do the same workflow on different accounts, depending in the circumstances, such as deploying dev on push, and prod manually.

Reproduction steps:

My called (reusable) workflow looks as follows:

name: Deploy

on:
  workflow_call:
    inputs:
      aws-region:
        required: true
        type: string
    secrets:
      AWS_ACCESS_KEY_ID:
        required: true
      AWS_SECRET_ACCESS_KEY:
        required: true

jobs:
  test:
    name: Test-secrets
    runs-on: ubuntu-latest
    steps:
    - uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key:  ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: ${{ inputs.aws-region }}

And the caller workflow looks like:

name: Continous Delivery

on: push

jobs:
  deploy-dev:
    name: Deploy Dev
    uses: ./.github/workflows/deploy.yml
    with:
      aws-region: eu-west-1
    secrets:
      AWS_ACCESS_KEY_ID: $${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}

Expected behaviour

I expect the action to work as normal, like it does when used directly, ie.

name: Continous Delivery

on: push

jobs:

  test-directly:
    name: Test Directly on push
    runs-on: ubuntu-latest
    steps:
    - uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
        aws-secret-access-key:  ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
        aws-region: eu-west-1

Using the action this way works just fine. That also confirms that it is not the secrets that are the issue...

Let me know if you need anything else! :)
@jim-hill-r
Copy link

@choffa Did you find a workaround? I am also facing this issue.

@drey0143143
Copy link

@choffa Please let me know if you find a workaround. I am having the same issue

@choffa
Copy link
Author

choffa commented Aug 1, 2022

@jim-hill-r @drey0143143 No, I was not able to find a good workaround for this issue. We decided to accept the duplication for now.

@emmanuel-c-santos
Copy link

emmanuel-c-santos commented Sep 28, 2022
edited

I was having a problem with Azure credentials which seem similar to the one above. I was able to solve it following the steps at the link below:
https://colinsalmcorner.com/consuming-environment-secrets-in-reusable-workflows/

In short, it suggests to have the credentials in an environments and pass the environment as a parameter by the caller workflow.

@peterwoodworth peterwoodworth added the needs-triage This issue still needs to be triaged label Oct 4, 2022
@grudelsud grudelsud mentioned this issue Jan 16, 2023
Closed
@peterwoodworth peterwoodworth added p2 effort/medium This issue will take a few days of effort to fix bug Something isn't working and removed needs-triage This issue still needs to be triaged labels Feb 21, 2023
@cleber-rocha
Copy link

I'm facing the same issue

@peterwoodworth
Copy link
Contributor

I suspect this would be due to existing credentials within the runner, or lack thereof. I'm not super experienced with reusable workflows, but I'd like it if the people running into this could check if their environment variables are populated at the time the configure-aws-credentials step runs.

If you upgrade to v3, there is now the role-chaining prop which helps avoid errors in some cases where the action is invoked multiple times. Alternately, there's the unset-current-credentials prop which clears AWS-related environment variables at the start of the step.

If there's no issue with inputs, and there's no unexpected environment variables in the runner, then I'm not sure why a composite action would be failing and would need to look more into it.

@peterwoodworth peterwoodworth added the response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days. label Aug 24, 2023
@github-actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 2 days unless further comments are made. label Aug 30, 2023
@choffa
Copy link
Author

choffa commented Aug 30, 2023

The project where I faced this issue has since been cancelled, so I now have no way to test @peterwoodworth 's suggestion.

@github-actions github-actions bot removed closing-soon This issue will automatically close in 2 days unless further comments are made. response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days. labels Aug 30, 2023
mbland added a commit to mbland/elistman that referenced this issue Sep 11, 2023
@mbland
Add "unset-current-credentials: true" to CI/CD
aed7091 
Yesterday, I started creating an AWS SAM CI/CD pipeline using GitHub
Actions, which isn't yet deployed.

Today, the mbland/elistman pipeline started failing while trying to
configure AWS credentials after pushing commit
4841ade:

- https://github.com/mbland/elistman/actions/runs/6149590436/job/16686549484
  Error: The security token included in the request is invalid.

I tried to update the trust policy for the relevant IAM user, which I'd
seen had been updated to trust requests from mbland/ses-forwarder. I
manually edited it back to mbland/elistman. Rerunning the job still
failed.

I then updated the pipeline to aws-actions/configure-aws-credentials@v3
in commit 60463bc, but it still failed:

- https://github.com/mbland/elistman/actions/runs/6149930473/job/16686849270

Searching for related issues turned up the possibility of trying
"unset-current-credentials: true":

- https://github.com/aws-actions/configure-aws-credentials#unset-current-credentials
- aws-actions/configure-aws-credentials#383

Trying it to see how it goes.
@peterwoodworth
Copy link
Contributor

In that case, please feel free to open a new issue if anyone encounters any problems on v4. thanks!

@github-actions
Copy link

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working effort/medium This issue will take a few days of effort to fix p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@choffa @jim-hill-r @peterwoodworth @drey0143143 @cleber-rocha @emmanuel-c-santos