Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UnrecognizedClientException: The security token included in the request is invalid. #788

Closed
gayatribrg opened this issue Aug 23, 2023 · 9 comments
Closed

UnrecognizedClientException: The security token included in the request is invalid. #788

gayatribrg opened this issue Aug 23, 2023 · 9 comments
Labels
bug Something isn't working response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days.

Comments

@gayatribrg
Copy link

gayatribrg commented Aug 23, 2023
edited

Describe the bug

I am using aws-actions/configure-aws-credentials@v2 to assume a role and I realize the temporary credentials generated as part of env can be used in the next step.

 - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: ${{ steps.assume-role.outputs.role }}
          aws-region: somevalue
          role-session-name: samplerolesession
          role-duration-seconds: 1200
		  
 - name: connect to ssm

        uses: peterkimzz/aws-ssm-send-command@master
        id: ssm
        with:
          aws-region: ${{ env.AWS_DEFAULT_REGION }}
          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
          working-directory: /tmp
          command: ls -a
          comment: Sample script

However on step 2 I get the error "UnrecognizedClientException: The security token included in the request is invalid.
code: 'UnrecognizedClientException'"

Expected Behavior

Tempoarary credentials should be successfully used in next steps.

Current Behavior

I get the error "UnrecognizedClientException: The security token included in the request is invalid.
code: 'UnrecognizedClientException'"

Reproduction Steps

Call both these actions and kindly let me know what is being missed.

Possible Solution

No response

Additional Information/Context

No response
@gayatribrg gayatribrg added bug Something isn't working needs-triage This issue still needs to be triaged labels Aug 23, 2023
@sohamm-coditas
Copy link

Getting

(node:29870) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
Error: The security token included in the request is invalid.

I'm using aws-actions/configure-aws-credentials@v2

@peterwoodworth
Copy link
Contributor

What happens when you run get-caller-identity? Does the role you expect return? And be sure to check that the role you expect to be assumed is in fact the role being passed in to your workflow

 - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: ${{ steps.assume-role.outputs.role }}
          aws-region: somevalue
          role-session-name: samplerolesession
          role-duration-seconds: 1200
		  
   - name: get caller identity
      run: |
        aws sts get-caller-identity

@peterwoodworth peterwoodworth added response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days. and removed needs-triage This issue still needs to be triaged labels Aug 23, 2023
@peterwoodworth peterwoodworth mentioned this issue Aug 23, 2023
Closed
@peterwoodworth
Copy link
Contributor

Similar issue here where a subsequent workflow step fails with this error. Might be a coincidence, but if we can't find anything wrong with anyone's configurations there may be something up

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days. label Aug 23, 2023
@peterwoodworth peterwoodworth added the response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days. label Aug 23, 2023
@gayatribrg
Copy link
Author

aws sts get-caller-identity works fine , displays the role assumed and for checkig when I add

aws s3 ls

It displays the bucket , It assumes the right role and list the buckets.

@minh-gfg
Copy link

Upgraded to v3 fixed this issue for me

@peterwoodworth
Copy link
Contributor

Glad to hear that the v3 upgrade helped @minh-gfg.

@gayatribrg have you tried upgrading to v3? We launched it yesterday. If you're still running into issues after v3, based on the information you've provided it wouldn't seem like it was due to this action since it appears your runner is properly assuming the role

@peterwoodworth peterwoodworth added response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days. and removed response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days. labels Aug 24, 2023
@gayatribrg
Copy link
Author

Tried v3 , it promptly shows the role assumed. Despite that, when I call this action peterkimzz/aws-ssm-send-command@master,
I am getting the invalid session token error. It should be something with this action.

@kellertk
Copy link
Contributor

Unfortunately it looks like peterkimzz/aws-ssm-send-command hasn't been updated (that is, the dist files) in about 3 years. I'm not sure how code this old would interact with the AWS_SESSION_TOKEN, but if you're using temporary AWS credentials you actually have 3 env variables to worry about, the ACCESS_KEY_ID, the SECRET_ACCESS_KEY, and the SESSION_TOKEN. If the action can't handle the session token, you'll get this error.

I'd also point out that this action is fairly trivial, if you look at the source. It takes your inputs and directly passes them to an SDK call. Since they're using a version of the AWS JS SDK that's soon to be deprecated, and it doesn't look like the author is updating the repo anymore, I'd recommend you construct an SSM call yourself instead of relying on the aws-ssm-send-command action.

Closing this issue as can't repro.

@kellertk kellertk closed this as not planned Won't fix, can't repro, duplicate, stale Aug 25, 2023
@github-actions
Copy link

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kellertk @peterwoodworth @sohamm-coditas @gayatribrg @minh-gfg