aws-toolkit-azure-devops icon indicating copy to clipboard operation
aws-toolkit-azure-devops copied to clipboard

Published 20 hours ago verified publisher icon aws

Classic S3 Upload Task fails when using Service Connection configured to use OIDC authentication

Open swansonaj opened this issue 1 year ago • 1 comments

Describe the bug Many of our customer still use Classic Azure DevOps pipelines (as opposed to YAML pipelines) and therefore the classic tasks that come with the AWS Toolkit for Azure DevOps are also used. While trying a conversion of one of these pipelines to use a Service Connection with OIDC authentication enabled I can't seem to get past the following error: "Failed to assume role with OIDC: Error: System.AccessToken is undefined."

Here's a log excerpt with error in context:

Content uploads are performed using S3's PutObject API and/or the multi-part upload APIs. The specific APIs used depend on the size of the individual files being uploaded.
2024-08-30T20:12:30.8854418Z ==============================================================================
2024-08-30T20:12:31.5474060Z Configuring credentials for task
2024-08-30T20:12:31.5480739Z ...configuring AWS credentials from service endpoint '7e45a58e-redacted'
2024-08-30T20:12:31.5480974Z Skipping Instance profile, we have OIDC enabled
2024-08-30T20:12:31.5491876Z ...configuring AWS credentials from service endpoint '7e45a58e-redacted'
2024-08-30T20:12:31.5493003Z Getting OIDC Token...
2024-08-30T20:12:31.5499826Z Failed to assume role with OIDC: Error: System.AccessToken is undefined
.
.
.

To reproduce

  1. Create an AWS Service Connection with "Use OIDC" enabled
  2. Create a classic Azure DevOps pipeline with an S3 Upload task in it and configure that task to use the service connection from step 1
  3. Run the pipeline it will fail

Expected behavior The S3 Upload task should work

Screenshots

2024-08-30 16-05-42_cfn-poc-cfn-release - Release-7 - Pipelines

Your Environment

  • On-prem or cloud based?: Cloud
  • Azure DevOps version: Whatever version is used in the cloud
  • AWS Toolkit for Azure DevOps version: 1.15.0 (Latest)

Additional context I tried the S3 Upload tasks using a YAML pipeline (same service connection and target S3 bucket) and it worked!

swansonaj avatar Aug 30 '24 21:08 swansonaj

Same issue here with ECR Push Image:

Getting OIDC Token...
Failed to assume role with OIDC: Error: System.AccessToken is undefined

shillam avatar Oct 16 '24 11:10 shillam

Please let us know if you still have this error after enabling OAuth Tokens in your pipeline.

image

hayemaxi avatar Dec 04 '24 20:12 hayemaxi

https://github.com/aws/aws-toolkit-azure-devops/pull/587 should help

hayemaxi avatar Jan 07 '25 15:01 hayemaxi

Released in v1.19.0

hayemaxi avatar Jan 15 '25 19:01 hayemaxi