Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. #993

Closed
mattpopa opened this issue Jan 31, 2024 · 7 comments
Closed

To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. #993

mattpopa opened this issue Jan 31, 2024 · 7 comments
Assignees
@tim-finnigan
Labels
bug Something isn't working

Comments

@mattpopa
Copy link

Describe the bug

While using self-hosted runners, which already use OIDC for EKS AWS auth, the following warning is issues

To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. See https://s12d.com/gha-oidc-aws for more information.

Expected Behavior

While already using OIDC on self-hosted runners on EKS, we should not be getting warnings about not using OIDC

like so

To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. See https://s12d.com/gha-oidc-aws for more information.

Current Behavior

Getting this warning everytime even though we are using OIDC on our self-hosted runners in AWS EKS

To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. See https://s12d.com/gha-oidc-aws for more information.

Reproduction Steps

Using self-hosted runners on EKS, github actions controller + scale sets, EKS OIDC setup for runner pods

steps:
  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: ${{ secrets.PROD_AWS_ROLE_TO_ASSUME }}
      role-duration-seconds: ${{ env.AWS_ROLE_DURATION }}
      aws-region: ${{ env.AWS_REGION }}

getting

To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. See https://s12d.com/gha-oidc-aws for more information.

Possible Solution

suppress the warning

To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. See https://s12d.com/gha-oidc-aws for more information.

this happens since updating the action to v4 for the node deprecation

Additional Information/Context

No response
@mattpopa mattpopa added bug Something isn't working needs-triage This issue still needs to be triaged labels Jan 31, 2024
@tim-finnigan
Copy link
Contributor

Hi @mattpopa thanks for reaching out. We removed that warning here: #926. I couldn't reproduce the warning when testing but I may be missing some steps, are there any other details you can share regarding this?

@tim-finnigan tim-finnigan added response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days. and removed needs-triage This issue still needs to be triaged labels Jan 31, 2024
@Ga13Ou
Copy link

Ga13Ou commented Jan 31, 2024

Hi @mattpopa thanks for reaching out. We removed that warning here: #926. I couldn't reproduce the warning when testing but I may be missing some steps, are there any other details you can share regarding this?

Any visibility on when this will be added to v4 ?

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 5 days. label Jan 31, 2024
@mattpopa
Copy link
Author

mattpopa commented Feb 1, 2024

Hi @mattpopa thanks for reaching out. We removed that warning here: #926. I couldn't reproduce the warning when testing but I may be missing some steps, are there any other details you can share regarding this?

Thanks for replying. I don't see that change inside v4

git tag --contains 6129f329e60ccdcc69cae650f925172621807647

Let us know if there's a plan to update v4 to include that change.

@ponkio-o
Copy link

ponkio-o commented Feb 5, 2024
edited
Loading

Hi, I'm facing the same issue. It looks reverted on the following PR.
#871

Our environment are using sts:AssumeRole (without long-term credentials), but showing the warning.

@tim-finnigan tim-finnigan self-assigned this Feb 5, 2024
@tim-finnigan
Copy link
Contributor

Thanks for following up - just released 4.0.2 and pointed v4 to include latest changes, so the warning should now be removed: https://github.com/aws-actions/configure-aws-credentials/releases.

@tim-finnigan tim-finnigan added closing-soon This issue will automatically close in 2 days unless further comments are made. and removed investigating labels Feb 7, 2024
@ponkio-o
Copy link

ponkio-o commented Feb 7, 2024
edited
Loading

@tim-finnigan Hi, I checked the v4.0.2 that doesn't showing the warning when I use sts:AssumeRole (without IAM access key) on self-hosted runner.

@github-actions github-actions bot removed the closing-soon This issue will automatically close in 2 days unless further comments are made. label Feb 7, 2024
@kellertk kellertk closed this as completed Feb 9, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 9, 2024

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tim-finnigan tim-finnigan

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kellertk @mattpopa @ponkio-o @Ga13Ou @tim-finnigan