Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github-Actions - Unable to Assume secondary role_arn from workflow #704

Closed
2 tasks
iamajaz opened this issue Apr 2, 2023 · 2 comments
Closed
2 tasks

Github-Actions - Unable to Assume secondary role_arn from workflow #704

iamajaz opened this issue Apr 2, 2023 · 2 comments
Labels
closed-for-staleness duplicate This issue or pull request already exists feature-request A feature should be added or improved. response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days.

Comments

@iamajaz
Copy link

iamajaz commented Apr 2, 2023

Describe the feature

Description

AWS Account Information:

  • Got two AWS Accounts, Account1 and Account2
  • OIDC Role (OIDC_ROLE) present in Account 1
    • Authorizes Github Workflow to create resources in Account 1
  • IAM Role (BUILDS_ROLE) present in Account 2
    • Authorizes Github workflow to assume the role and create State files and DynamoDB lock in Account 2

Github Workflow:

  • My github workflow has two roles ( "OIDC_ROLE" & "BUILDS_ROLE" ) as mentioned above.
      - name: Configure AWS credentials from Primary AWS account
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: ${{ env.OIDC_ROLE }}
          aws-region: ${{ env.AWS_DEFAULT_REGION }}
          role-session-name: GitHub-Actions-Builds-OIDC-Terraform

      - name: Setup Terraform Backend on the fly
        working-directory: ${{ env.WORKING_DIR }}
        id: backend
        run: |
          cat > backend.tf << EOF
          terraform {
            backend "s3" {
              bucket         = "${{ env.BUCKET_NAME }}"
              key            = "${{ env.STATE_PREFIX }}/${{ env.AWS_DEFAULT_REGION }}/policies.tfstate"
              role_arn       = "${{ env.BUILDS_ROLE }}"
              region         = "${{ env.AWS_DEFAULT_REGION }}"
              dynamodb_table = "${{ env.DYNAMODB_TABLE }}"
            }
          }
          EOF

      - name: Terraform Init
        working-directory: ${{ env.WORKING_DIR }}
        id: init
        run: |
          git config --global url."https://oauth2:[email protected]/chargebee/cb-tf-modules.git".insteadOf "ssh://[email protected]/chargebee/cb-tf-modules.git"
          terraform init --reconfigure
        env: 
          token: ${{ secrets.CI_GITHUB_READ_ONLY_TOKEN }}

Issue:

  • The mentioned step, "Configure AWS credentials from Primary AWS account" works as expected
  • However the step, "Terraform Init" fails, as my github actions workflow is unable to assume the BUILDS_ROLE.

Error:

╷
│ Error: error configuring S3 Backend: IAM Role (arn:aws:iam::123427971234:role/builds-terraform-backend-assume-role) cannot be assumed.
│ 
│ There are a number of possible causes of this - the most common are:
│   * The credentials used in order to assume the role are invalid
│   * The credentials do not have appropriate permission to assume the role
│   * The role ARN is not valid
│ 
│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│ 	For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Use Case

What I did

  • In the Trust policy of the "builds-terraform-backend-assume-role" / BUILDS_ROLE, i've added the role to trust any incoming connections from Account 1
  • My Organization name here is mentioned as sampler-terra and repository is templates.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::678927976789:root"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::678927976789:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:sampler-terra/templates:*",
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Desired Output:

  • For the BUILDS_ROLE IAM to be assumed by Github Actions

References

No response

Would you like to implement a fix?

None

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change
@iamajaz iamajaz added feature-request A feature should be added or improved. needs-triage This issue still needs to be triaged labels Apr 2, 2023
@peterwoodworth
Copy link
Contributor

We plan on implementing profile support this year #112, would this suit your use case?

@peterwoodworth peterwoodworth added duplicate This issue or pull request already exists response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days. and removed needs-triage This issue still needs to be triaged labels Apr 5, 2023
@github-actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 2 days unless further comments are made. closed-for-staleness and removed closing-soon This issue will automatically close in 2 days unless further comments are made. labels Apr 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed-for-staleness duplicate This issue or pull request already exists feature-request A feature should be added or improved. response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iamajaz @peterwoodworth