Migrate configure-aws-credentials to use AWS SDK for JavaScript (v3)

[GeorgeDavis-TriumphTech]

Describe the feature

(node:1629) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)

Use Case

There is a warning message when we use aws-actions/configure-aws-credentials@v1-node16 in GitHub Actions workflow.

Proposed Solution

Migrate configure-aws-credentials to use AWS SDK for JavaScript (v3)

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

[rjminchuk]

seeing this as well

[povisenko]

+1
aws-actions/configure-aws-credentials@v1-node16

[ngb7h]

We're also using aws-actions/configure-aws-credentials@v1-node16, same warning.

[kellertk]

The JS v3 SDK no longer supports exporting a global credential object, which is used by our action. A major rewrite of the action and our tests is needed to support v3. This is in progress and will coincide with a v3 release of this action :)

[mfn]

I can't (yet?) confirm any problems from my side, I'm using this action in 30+ workflows and they work; only the message is shown:

Run aws-actions/configure-aws-credentials@v2
  with:
    aws-access-key-id: ***
    aws-secret-access-key: ***
    aws-region: eu-central-1
    audience: sts.amazonaws.com
(node:2126) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)

This is from an hour ago.

[AndrewReid-Journey]

It seems like they finally dropped the support for this after the deprecation.

Without any changes, it stopped working just in a matter of a few days, now we get this:

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers```

Interestingly, i'm having the exact same issue as you in some of my workflows now. Weirdly I have some workflows which still run OK (albeit showing the warning message about the maintenance mode plans for 2023) but others where this step is failing now. The only differences I can see between these workflows is that the failing ones are declared to run in a container where as the others are not. I wonder if this is the same scenario in your case?

[Artur-Oliveira-Jesus]

there is another way to configure credencials? because i'm having the same problem...

[aborza-c]

The JS v3 SDK no longer supports exporting a global credential object, which is used by our action. A major rewrite of the action and our tests is needed to support v3. This is in progress and will coincide with a v3 release of this action :)

Is this only an issue with setting up credentials directly? What about using OIDC, is that also affected?

[mchittineni]

Hi facing similar issue, when trying to load AWS Credentials(v2) via OIDC
Run aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam:xxxxxxxx:role/xxxxx
aws-region: eu-west-2
audience: sts.amazonaws.com
NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use node --trace-warnings ... to show where the warning was created)
Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers

[kkurczewski]

@mchittineni, this issue is only about removing unaesthetic warning, error you got is not related/caused by this warning. Your error states:

Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers

So most likely you are passing wrong or missing role/region/other param.

[mchittineni]

@kkurczewski sorry after making the comment i realised my mistake, when i add the permissions

https://github.com/aws-actions/configure-aws-credentials#:~:text=OIDC%20Token%20endpoint.-,permissions%3A,-id%2Dtoken%3A

the error got changed into a warning and still showing as mentioned below.

Run aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam:xxxxxxxx:role/xxxxx
aws-region: eu-west-2
audience: sts.amazonaws.com
NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use node --trace-warnings ... to show where the warning was created)

[andreyFernandoSoares]

require('aws-sdk/lib/maintenance_mode_message').suppress = true;

[akshit-speed]

Is there any update for same ? Due to this we are starting to seen some of the workflows are failing randomly while configuring aws credentials step.

[jensenbox]

Happened 2 times in the last 7 days for us. Is there an update on when this will be resolved?

[omegion]

Same here, it's happening quite often today.

[dacahill7]

I was thinking this was my issue, but it turns out I was running into this:
https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/

Adding to the thread since others might be hitting the same problem, even tho its not directly related.

[gscho]

When I follow the instructions in the blog post things work. But I don't understand where they are getting the 1c58a3a8518e8759bf075b76b750d4f2df264fcd thumbprint from. I get these two from token.actions.githubusercontent.com

• 6938fd4d98bab03faadb97b34396831e3780aea1
• f879abce0008e4eb126e0097e46620f5aaae26ad

Where does this thumbprint in the blog post come from?

[danopia]

Where does this thumbprint in the blog post come from?

For some context, here's the certificate chain that I see for GHA in Google Chrome:

I believe that you are looking at the last certificate (Github's cert), but for AWS OIDC you generally want the first intermediate, which is the second certificate in the list. This is because the first certificate can't be used and the last certificate is renewed at least annually:

Subject	SHA-1	Lifespan	Usage with AWS OIDC
DigiCert Global Root CA	a8985d3a...	25 years	❌ Thumbprint won't be recognized
DigiCert TLS RSA SHA256 2020 CA1	1c58a3a8...	10 years	✅ Recognized & infrequent rotation
*.actions.githubusercontent.com	f879abce...	~1.3 years	😕 Needs regular rotation

Note that this is all a relic of AWS OIDC being paranoid enough to not use the trusted CA list maintained by OSs and browsers. I'd love to see a "Internet root trust store" option from AWS so we can stop worrying about rotating fingerprints 🤷🏻

[kellertk]

Hello everyone, the error that you're seeing related to thumbprints and certificates is not related to JavaScript v3. This is a tracking issue for the v3 migration, which we already have in progress. We work extremely closely with the JavaScript SDK team and migrating this action to the new version will happen before the SDK is fully deprecated. For any discussion related to certificate thumbprints, please see #357.

[kellertk]

Just to confirm, the warning you're seeing as a result of the v2 SDK being used is merely cosmetic at this time.

[Blunderchips]

Our pipeline started failing this morning with something related to this. Not getting a warning but a failed job. Is there a work around for this issue?

[peterwoodworth]

The error is not due to the SDK version, but something else. The message you see there is just a warning unrelated to the error.

Please open up another issue with the details of your workflow @Blunderchips

[Blunderchips]

The error is not due to the SDK version, but something else. The message you see there is just a warning unrelated to the error.

Please open up another issue with the details of your workflow @Blunderchips

Ok, will do it when I get a chance. Stopped working over the weekend with no changes our side.

[snusmu]

i get exact same issue as Blunderchips when trying to setup this github action for the first time, with a very basic workflow

[Blunderchips]

i get exact same issue as Blunderchips when trying to setup this github action for the first time, with a very basic workflow

Yes, same error. It worked on the Friday then not on the Monday. Of course, our keys are defined and are still valid.

[c-ameron]

The JS v3 SDK no longer supports exporting a global credential object, which is used by our action. A major rewrite of the action and our tests is needed to support v3. This is in progress and will coincide with a v3 release of this action :)

Thanks for the info @kellertk . Do you have an ETA of when this will be released? And will this include the other aws actions (ie amazon-ecs-deploy-task-definition)?

[DanielMcAssey]

Same here, worked on Friday, stopped working on Monday, nothing changed on our pipeline or AWS

[flo-hame]

I faced the same errors. Adding following to the top of my deployment.yaml fixed it:

permissions:
  id-token: write # This is required for requesting the JWT
  contents: read  # This is required for actions/checkout

[kellertk]

Closed by #791

[github-actions]

** Note **
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.