Question: How to do role chaining? (Not authorized to perform sts:AssumeRoleWithWebIdentity)

[captn3m0]

Trying to do role chaining (assuming first role via GitHub OIDC, and second role using the first role). But failing.

The first role is assumed correctly, and while I can use the aws sts cli to assume the second role - that doesn't export the environment variables for further steps. Calling aws-actions/configure-aws-credentials@v1 again fails with a Error: Not authorized to perform sts:AssumeRoleWithWebIdentity error.

      - uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ap-south-1
          role-to-assume: role-1
      - name: Role 2 can be assumed by Role 1 (This works)
        run: |
          # This prints Role 1
          aws sts get-caller-identity
          # This succeeds
          aws sts assume-role --role-arn arn:aws:iam::12345678900:role/role-2
          # We get role 2 here
          aws sts get-caller-identity
      # This fails
      - uses: aws-actions/configure-aws-credentials@v1
        with:
          role-duration-seconds: 1200
          aws-region: ap-south-1
          role-to-assume: role-2

This is what I get in the log:

Run aws-actions/configure-aws-credentials@v1
  with:
    aws-region: ap-south-1
    role-to-assume: arn:aws:iam::***:role/role-2
    role-duration-seconds: 1200
  env:
    AWS_DEFAULT_REGION: ap-south-1
    AWS_REGION: ap-south-1
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_SESSION_TOKEN: ***
Error: Not authorized to perform sts:AssumeRoleWithWebIdentity

This is running on a self-hosted runner on EC2. Such an example in the README will be helpful as well.

[jferris]

I was able to do this by passing the access key from the first step as arguments to the second step.

    - name: Assume GitHub actions role
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-region: us-east-1
        role-to-assume: "arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions"

    - name: Assume execution role
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-1
        aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
        aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
        role-duration-seconds: 3000
        role-skip-session-tagging: true
        role-to-assume: "arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/execution-role"

[Fran-Rg]

@jferris thanks for the info. Can you explain what "role-skip-session-tagging" is supposed to do (and why it's required to skip it in the chain)?

[peterwoodworth]

@Fran-Rg role-skip-session-tagging ensures that session tags are not applied to your session when you assume a role using this action.

This isn't required to make role chaining work, according to the docs I've linked above (and I've tested as well), you can role chain and use session tags.

We should absolutely have an example of role chaining in the Readme! If someone else gets to it first I can review a PR, else I will get to it when I can

[peterwoodworth]

We now have an example of this in the README 🙂

[github-actions]

** Note **
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.