Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

From US account switch to CN account, Error: The security token included in the request is invalid #756

Closed
fanyanjie-pacvue opened this issue Jun 28, 2023 · 8 comments
Closed

From US account switch to CN account, Error: The security token included in the request is invalid #756

fanyanjie-pacvue opened this issue Jun 28, 2023 · 8 comments
Labels
bug Something isn't working effort/small This issue will take less than a day of effort to fix p2 response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days.

Comments

@fanyanjie-pacvue
Copy link

Describe the bug

First, login to my US account's role and do something
Then, login CN account's role

If just login CN account, or from US account switch to another US account, it can work

Expected Behavior

It can login successful

Current Behavior

Error: The security token included in the request is invalid

Reproduction Steps

  - name: Configure AWS credentials US
    uses: aws-actions/configure-aws-credentials@v2
    with:
      role-to-assume: arn:aws:iam::111111111111:role/github-actions
      aws-region: us-west-2
  - run: Do something
  - name: Configure AWS credentials CN
    uses: aws-actions/configure-aws-credentials@v2
    with:
      role-to-assume: arn:aws-cn:iam::222222222222:role/github-actions
      aws-region: cn-north-1

Possible Solution

No response

Additional Information/Context

No response
@fanyanjie-pacvue fanyanjie-pacvue added bug Something isn't working needs-triage This issue still needs to be triaged labels Jun 28, 2023
@funnylookinhat
Copy link

We are seeing this as well (I think). Here's the output from our GH Action step:

Error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

Is that what you are seeing?

@jack-slip
Copy link

#357

@jack-slip
Copy link

jack-slip commented Jun 28, 2023
edited
Loading

new thumbprint is f879abce0008e4eb126e0097e46620f5aaae26ad

@libc
Copy link

libc commented Jun 28, 2023

For whoever gets here for whatever reason.

f879abce0008e4eb126e0097e46620f5aaae26ad is not the correct thumbprint. It's the sha1 of te certificate, while you should be trusting thumbprints of the intermediate CA.

Please use thumbprints from https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/ not f879abce0008e4eb126e0097e46620f5aaae26ad

@jack-slip
Copy link

For whoever gets here for whatever reason.

f879abce0008e4eb126e0097e46620f5aaae26ad is not the correct thumbprint. It's the sha1 of te certificate, while you should be trusting thumbprints of the intermediate CA.

Please use thumbprints from https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/ not f879abce0008e4eb126e0097e46620f5aaae26ad

Thanks for sharing that.

f879abce0008e4eb126e0097e46620f5aaae26ad Was correct enough to get our ci/cd running but we'll switch to the recommended solution.

@peterwoodworth
Copy link
Contributor

It seems that the comments in this thread should be going to #357, please make sure you're in the right thread :)

@YanJieFan there might be an issue with the environment variables not clearing between runs, try clearing out your AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables in a step between assuming these roles, and let me know if that works.

@peterwoodworth peterwoodworth added response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days. p2 effort/small This issue will take less than a day of effort to fix and removed needs-triage This issue still needs to be triaged labels Jun 28, 2023
@fanyanjie-pacvue
Copy link
Author

It seems that the comments in this thread should be going to #357, please make sure you're in the right thread :)

@YanJieFan there might be an issue with the environment variables not clearing between runs, try clearing out your AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables in a step between assuming these roles, and let me know if that works.

It can work ☺ (clear the environment variables), the code is:

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: arn:aws:iam::111111111111:role/github-actions
          aws-region: us-west-2
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Configure AWS credentials CN
        uses: aws-actions/configure-aws-credentials@v2
        env:
          AWS_ACCESS_KEY_ID: ""
          AWS_SECRET_ACCESS_KEY: ""
          AWS_SESSION_TOKEN: ""
        with:
          role-to-assume: arn:aws-cn:iam::222222222222:role/github-actions
          aws-region: cn-north-1
      - name: Login to Amazon ECR
        id: login-ecr-cn
        uses: aws-actions/amazon-ecr-login@v1

@github-actions
Copy link

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working effort/small This issue will take less than a day of effort to fix p2 response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@libc @funnylookinhat @peterwoodworth @jack-slip @fanyanjie-pacvue