-
Notifications
You must be signed in to change notification settings - Fork 461
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GHA runner suddenly not authorized to perform sts:AssumeRoleWithWebIdentity #900
Comments
I have a similar problem. The CloudTrail event reports "An unknown error occurred"
|
I have the same CloudTrail event. |
My bad, I’d recreated the roles via cloudformation and the names had changed. @davidristov may have a real issue, but mine was a configuration error, now resolved. |
I just got it resolved and it was a configuration error as well. GitHub organization name had changed from capital first letter to lowercase making the IAM role trust policy invalid. Initially, I checked for new thumbprints which was the case but after adding it the issue still persisted. I assumed it was somewhat related similarly like the issue a few months ago. Closing issue. |
Comments on closed issues are hard for our team to see. |
Describe the bug
All workflows suddenly started failing on the
aws-actions/configure-aws-credentials
step with the following error:Not authorized to perform sts:AssumeRoleWithWebIdentity
From the workflows history, we had everything running up until Wednesday last week (Oct 18) and started seeing the issue from Friday (Oct 20). In between there are no relevant configuration changes that affect these resources (IAM role, OIDC provider).
Expected Behavior
IAM role gets assumed successfully by the GitHub Actions runner.
Current Behavior
GitHub Actions runner is not authorized to assume the defined IAM role.
Reproduction Steps
GitHub workflow:
Both
vars.GHA_ROLE
andenv.AWS_REGION
have the correct values.Trust policy on IAM role:
AWS OIDC provider URL:
https://token.actions.githubusercontent.com
Audience:
sts.amazonaws.com
Thumbprints:
6938fd4d98bab03faadb97b34396831e3780aea1
,1c58a3a8518e8759bf075b76b750d4f2df264fcd
,1b511abead59c6ce207077c0bf0e0043b1382612
Possible Solution
No response
Additional Information/Context
No response
The text was updated successfully, but these errors were encountered: