Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using organization environment variables for role-to-assume is empty #988

Closed
farvour opened this issue Jan 24, 2024 · 2 comments
Closed

Using organization environment variables for role-to-assume is empty #988

farvour opened this issue Jan 24, 2024 · 2 comments
Labels
bug Something isn't working needs-triage This issue still needs to be triaged

Comments

@farvour
Copy link

farvour commented Jan 24, 2024
edited
Loading

Describe the bug

When I try to pass in a value for the role-to-assume input using a value from the organization environment variables as opposed to the organization secrets, it ends up being blank which causes the process to fail. This happened with both the v3 and v4 versions.

Run aws-actions/configure-aws-credentials@v4
with:
role-duration-seconds: 1800
aws-region: us-west-2
audience: sts.amazonaws.com
env:
AWS_DEFAULT_REGION: ***
AWS_REGION: ***
AWS_ACCESS_KEY_ID: ***
AWS_SECRET_ACCESS_KEY: ***
AWS_SESSION_TOKEN: ***

Expected Behavior

I expect the value for role-to-assume to be provided and allow the OIDC connector to AWS to work.

Current Behavior

The value for role-to-assume remains empty which subsequently means it can't ask the OIDC identity endpoint for the right role to use.

Reproduction Steps

First, define the two organization environment variables:

  • CI_AWS_IAM_ROLE_ARN
  • AWS_DEFAULT_ROLE_DURATION_SECS

Then, create an action job that does:

# This is required for build-time secrets to be pulled from AWS Secrets Manager.
- run: echo "Value for role-to-assume should be ${{ env.CI_AWS_IAM_ROLE_ARN }}"
- uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: ${{ env.CI_AWS_IAM_ROLE_ARN }}
    role-duration-seconds: ${{ env.AWS_DEFAULT_ROLE_DURATION_SECS }} # The TTL of the session, in seconds.
    aws-region: us-west-2

Possible Solution

No response

Additional Information/Context

I am using self-hosted runners, and I recall reading somewhere that it can create certain problems with some actions trying to use inputs from environment variables... I was not sure why that would happen here, considering the value for AWS_DEFAULT_ROLE_DURATION_SECS exists, but the other does not despite them being available.
@farvour farvour added bug Something isn't working needs-triage This issue still needs to be triaged labels Jan 24, 2024
@farvour
Copy link
Author

farvour commented Jan 24, 2024

Ahoy! I guess I was a bit premature here and there was one thing I failed to read was the full doc on GitHub Variables. I realized in the past I must have been setting env vars based off of these configuration variables and in this workflow it was an empty value.

with ${{ vars.CI_AWS_IAM_ROLE_ARN }} directly it is working.

I will close this.

@farvour farvour closed this as completed Jan 24, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs-triage This issue still needs to be triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@farvour