Incorrect token audience

[dotan-wiv]

Describe the bug

aws-actions/configure-aws-credentials@v2 is not able to use OIDC

Expected Behavior

assume role and provide a temp keys

Current Behavior

• name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@v2
  with:
  role-to-assume: arn:aws:iam::xxxxxxxxxxx:role/GitHubAction-AssumeRoleWithAction.
  role-session-name: GitHub_to_AWS_via_FederatedOIDC
  aws-region: ${{ env.AWS_REGION }}

the role Trusted entities:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::xxxxxxxxxxx:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:xxxxxx/infrastructure:*"
}
}
}
]
}

Also, added 2 Thumbprints as per
https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/

but still getting Error: Incorrect token audience

Reproduction Steps

as above

Possible Solution

No response

Additional Information/Context

No response

[peterwoodworth]

Should you be specifying a different audience than sts.amazonaws.com? That is configurable as an action input.

If you are expecting sts.amazonaws.com, then for some reason that is not the actual audience. Try using this action in your workflow to view the audience value on your token.

[dotan-wiv]

do i need to run it as part of my current workflow?

i create a new workflow for this but what should i look in the output?

i see "aud": "https://github.com/my-repo",

[peterwoodworth]

Hmm I guess that action I linked isn't useful here since it requires that you specify the audience.

When this action runs, the audience is by default sts.amazonaws.com. You can see the readme on how to specify it. Try manually specifying it as sts.amazonaws.com?

[dotan-wiv]

name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
audience: sts.amazonaws.com
role-to-assume: arn:aws:iam::xxxxxxxxxxx:role/GitHubAction-AssumeRoleWithAction.
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ env.AWS_REGION }}

same error

Error: Incorrect token audience

[peterwoodworth]

Hm, is it possible you're on github enterprise?

[dotan-wiv]

yes i am

[peterwoodworth]

I don't have access to enterprise, so I can't test stuff out unfortunately. But, you'll need to configure your IDP differently if you're using enterprise, see GitHub documentation here on how to configure it. See this issue for slightly more info on the topic.

Let me know if this helps or not, I think this must be the problem you are encountering

[dotan-wiv]

its Enterprise plan but its not self hosted

[kellertk]

Hi there! The aud claim of the GitHub OIDC token defaults to the URL of the repository owner, which is what you're seeing. Here's an overview of how the OIDC flow works with this action:

1. A trust exists between AWS IAM and GitHub OIDC. You would have configured this trust earlier.
2. Each time your job runs, the GitHub OIDC generates a token about the identity of the workflow.
3. One of your job steps is this action, which calls core.getIDToken(audience). This is the function that fetches the token from GitHub and we will then present it to AWS.
4. If trusted, AWS vends temporary session credentials that this action exports to environment variables for later use.

Where things happen is step 3, which is here:

configure-aws-credentials/index.js

Line 364 in 5fd3084

webIdentityToken = await core.getIDToken(audience);

In this action, audience is an input that we're fetching here:

configure-aws-credentials/index.js

Line 304 in 5fd3084

const audience = core.getInput('audience', { required: false });

This is input is not required. GitHub's docs say that inputs that are not required must specify a default in action.yml, which we are:

configure-aws-credentials/action.yml

Line 8 in 5fd3084

default: 'sts.amazonaws.com'

Your action run is behaving as if this default isn't making it through, which means the action is running with undefined as the audience, which means it's requesting defaults from GitHub, so you're seeing your repo URL in the audience claim. I'm not sure why the default isn't making it through the run for you, but I think you have a few options:

• Manually specify the token audience in your workflow file. You can set this to whatever you like, as long as it matches the Condition you have configured in IAM. I think you've tried this and it didn't work. GitHub Enterprise has additional options for user authentication with OIDC and I'm not sure if this changes the claim that GitHub will give you when we call core.getIDToken. If possible, you could contact your GitHub Enterprise administrator to see if there is any special IdP configuration you have in use that wouldn't be available in the standard GitHub.
• Change the aud claim that you're matching in your IAM IdP configuration
• Fork this repo and add additional debugging statements to see why the audience variable doesn't seem to get presented to GitHub on the core.getIDtoken call. We can't seem to reproduce this in our environment, but if you were able to provide us with info on what your action run is sending to GitHub, we can troubleshoot further

[peterwoodworth]

Thanks Tom for the detailed reply,

I've found you can actually run debug logging to find the ID token url already, since this is a debug statement in core.getIdToken() which this action uses to create the token. You should then see in your workflow logs a line like this in the step that runs this action

##[debug]ID token url is https://pipelines.actions.githubusercontent.com/ajbsdhfbjsduifsjbfIUSDBFDSBIFSFkdskfwef/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/ac808dca-a6e3-4482-84cf-08adcadf0d8/jobs/ac0d8ad-ab1c-5a3a-fe6c-ad9cd9uad9adc/idtoken?api-version=2.0&audience=sts.amazonaws.com

Check the very end of this string, and it should show the audience that is actually being sent. Can you verify what this audience is, is it still your repo name? If so, we may need to open a support ticket with GitHub or an issue in this repository for clarification on their side of why this might be happening

[dotan-wiv]

quick update...its all about the dot
sts.amazonaws.com and not sts.amazonaws.com. in to audience

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.