Error: Could not load credentials from any providers - Caused by env var

[Ca-moes]

Describe the bug

When running the action, if there was an environment variable with the name AWS_PROFILE set, it would throw the error:

Error: Could not load credentials from any providers

By removing this env var, the actions runs successfully.

Expected Behavior

Action to run without a problem, no matter which env vars I set on my workflow.

Current Behavior

My including a env var named AWS_PROFILE, the action fails with the error:

Error: Could not load credentials from any providers

Reproduction Steps

The workflow below creates two jobs, one of them works and the other fails:

name: Test aws action

on:
  push:

jobs:
  aws-auth-working:
    name: AWS Authentication working
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4    
        with:
          role-to-assume: arn:aws:iam::xxxxxxxxxxxx:role/github-actions-prod
          aws-region: eu-central-1

      - name: Get Caller Identity
        run: aws sts get-caller-identity
        shell: bash
    
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

  aws-auth-not-working:
    name: AWS Authentication not working
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    env:
      AWS_PROFILE: prod
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v3     
        with:
          role-to-assume: arn:aws:iam::xxxxxxxxxxxx:role/github-actions-prod
          aws-region: eu-central-1
    
      - name: Get Caller Identity
        run: aws sts get-caller-identity
        shell: bash
  
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

Possible Solution

The env var is referenced here:

configure-aws-credentials/dist/index.js

Lines 14636 to 14641 in 6e4af39

	Object.defineProperty(exports, "__esModule", ({ value: true }));
	exports.getProfileName = exports.DEFAULT_PROFILE = exports.ENV_PROFILE = void 0;
	exports.ENV_PROFILE = "AWS_PROFILE";
	exports.DEFAULT_PROFILE = "default";
	const getProfileName = (init) => init.profile || process.env[exports.ENV_PROFILE] || exports.DEFAULT_PROFILE;
	exports.getProfileName = getProfileName;

and here, only:

configure-aws-credentials/dist/cleanup/index.js

Lines 14048 to 14053 in 6e4af39

	Object.defineProperty(exports, "__esModule", ({ value: true }));
	exports.getProfileName = exports.DEFAULT_PROFILE = exports.ENV_PROFILE = void 0;
	exports.ENV_PROFILE = "AWS_PROFILE";
	exports.DEFAULT_PROFILE = "default";
	const getProfileName = (init) => init.profile || process.env[exports.ENV_PROFILE] || exports.DEFAULT_PROFILE;
	exports.getProfileName = getProfileName;

---

One possible fix could be to remove the following option || process.env[exports.ENV_PROFILE] || and turn that line into:

const getProfileName = (init) => init.profile || exports.DEFAULT_PROFILE; 

Additional Information/Context

Is an env var defined at the job level used by all the lower level steps on a workflow? If yes, then it should be documented on this action to reserve these env var names, or overwrite them correctly, or choose a different method.

[tim-finnigan]

Thanks for reaching out. In the README it notes:

If no access key credentials are given in the action inputs, this action will use credentials from the runner environment using the default methods for the AWS SDK for Javascript.

Other comments such as this one go into more detail here. The documentation could potentially be further improved to describe the behavior.

[Ca-moes]

Thank you for the answer. In the README, this behaviour seems to only apply to self-hosted runners, since what you described is only on that section, but I'm glad to now know that this situation happened due to an attempt to authenticate via the SDK.

Adding the SDK as an authentication option in the table of section https://github.com/aws-actions/configure-aws-credentials?tab=readme-ov-file#using-this-action might provide better visibility and transparency of this method.

Thank you for your help, Tim

[kellertk]

We do call this out in the very first paragraph of the README, but we can still be a little more clear.

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.