-
Notifications
You must be signed in to change notification settings - Fork 468
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect token audience #775
Comments
Should you be specifying a different audience than If you are expecting |
do i need to run it as part of my current workflow? i create a new workflow for this but what should i look in the output? i see "aud": "https://github.com/my-repo", |
Hmm I guess that action I linked isn't useful here since it requires that you specify the audience. When this action runs, the audience is by default |
name: Configure AWS Credentials same error Error: Incorrect token audience |
Hm, is it possible you're on github enterprise? |
yes i am |
I don't have access to enterprise, so I can't test stuff out unfortunately. But, you'll need to configure your IDP differently if you're using enterprise, see GitHub documentation here on how to configure it. See this issue for slightly more info on the topic. Let me know if this helps or not, I think this must be the problem you are encountering |
its Enterprise plan but its not self hosted |
Hi there! The
Where things happen is step 3, which is here: configure-aws-credentials/index.js Line 364 in 5fd3084
In this action, configure-aws-credentials/index.js Line 304 in 5fd3084
This is input is not required. GitHub's docs say that inputs that are not required must specify a default in action.yml, which we are: configure-aws-credentials/action.yml Line 8 in 5fd3084
Your action run is behaving as if this default isn't making it through, which means the action is running with
|
Thanks Tom for the detailed reply, I've found you can actually run debug logging to find the ID token url already, since this is a debug statement in Check the very end of this string, and it should show the audience that is actually being sent. Can you verify what this audience is, is it still your repo name? If so, we may need to open a support ticket with GitHub or an issue in this repository for clarification on their side of why this might be happening |
quick update...its all about the dot |
Comments on closed issues are hard for our team to see. |
Describe the bug
aws-actions/configure-aws-credentials@v2 is not able to use OIDC
Expected Behavior
assume role and provide a temp keys
Current Behavior
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::xxxxxxxxxxx:role/GitHubAction-AssumeRoleWithAction.
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ env.AWS_REGION }}
the role Trusted entities:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::xxxxxxxxxxx:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:xxxxxx/infrastructure:*"
}
}
}
]
}
Also, added 2 Thumbprints as per
https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/
but still getting Error: Incorrect token audience
Reproduction Steps
as above
Possible Solution
No response
Additional Information/Context
No response
The text was updated successfully, but these errors were encountered: