toolkit icon indicating copy to clipboard operation
toolkit copied to clipboard

Published 20 hours ago verified publisher icon actions

Occasionally throwing error "Cannot read properties of undefined (reading 'message')" on getIdToken

Open lkeijmel opened this issue 1 year ago • 3 comments

Describe the bug It's related to a error raised in https://github.com/aws-actions/configure-aws-credentials/issues/395 where the OIDC client seems to throw an error which seems to be undefined somehow. We've tracked it down to the getIDToken function where it catches an error and rethrow it, see my comment on https://github.com/aws-actions/configure-aws-credentials/issues/395#issuecomment-1600275819

The strange thing is that it doesn't happen all the time so it's also hard to reproduce or pinpoint it further.

To Reproduce Steps to reproduce the behavior:

  1. Use the aws-actions/configure-aws-credentials
  2. Configure the OIDC provider
  3. Trigger a couple of workflow to use this action
  4. See error

Expected behavior No error or a clear one

Screenshots / code

Error: Error message: Cannot read properties of undefined (reading 'message')
/home/runner/work/_actions/aws-actions/configure-aws-credentials/v2/dist/index.js:585
                throw new Error(`Error message: ${error.message}`);

Referencing to this code:

static getIDToken(audience) {
        return __awaiter(this, void 0, void 0, function* () {
            try {
                // New ID Token is requested from action service
                let id_token_url = OidcClient.getIDTokenUrl();
                if (audience) {
                    const encodedAudience = encodeURIComponent(audience);
                    id_token_url = `${id_token_url}&audience=${encodedAudience}`;
                }
                core_1.debug(`ID token url is ${id_token_url}`);
                const id_token = yield OidcClient.getCall(id_token_url);
                core_1.setSecret(id_token);
                return id_token;
            }
            catch (error) {
                throw new Error(`Error message: ${error.message}`); <------ ERROR IS THROWN HERE
            }
        });
    }

lkeijmel avatar Jun 21 '23 08:06 lkeijmel

One instance in which I see this is if certificate verification of the GitHub Enterprise Server fails. We use a custom CA and if we fail to set $NODE_EXTRA_CA_CERTS then we see this error rather than the "certificate verify failed" that we would expect.

lordmauve avatar Feb 08 '24 13:02 lordmauve

Do you happen to have any news or a workaround for this issue? I'm using the actions toolkit to get an OIDC token for my action, and every once in a while, I get this exact issue. Error message: Cannot read properties of undefined (reading 'message'). Any ideas on how eliminate it? would a retry fix it? and if so, can we add it directly to the getIDToken function? For reference, here is my code:

 - name: Get OIDC Token
      uses: actions/github-script@v6
      id: get-oidc-token-from-github
      with:
        script: |
          const actionCore = require('@actions/core');
          const { execSync } = require('child_process');
            (async () => {
              try {
                const OIDC_TOKEN = await actionCore.getIDToken();
                actionCore.setOutput('OIDC_TOKEN', OIDC_TOKEN);
              } catch (error) {
                actionCore.error('Failed to get OIDC Token from GitHub servers: ' + error + '\n');
                execSync('exit 100');
              }
            })();

Thanks!

Moshikol avatar Mar 14 '24 10:03 Moshikol

@Moshikol we ended up implementing retry behavior in aws-actions/configure-aws-credentials. I don't maintain that action anymore, but it seemed to have worked fine at the time

peterwoodworth avatar Mar 14 '24 20:03 peterwoodworth