[QUESTION] Credentials priority

[vdksystem]

I have EKS cluster in prod account (within AWS Organization). It has OIDC enabled and I manage permissions for pods through OIDC. Configured custom runner on this cluster (with no role attached -> assume that it will get node default). ECR is in another account. Configured IAM identity provider for GitHub. Pipeline should build docker image and push to ECR using kaniko. On custom-runner it fails with unauthorised, on default ubuntu-latest from GitHub it works fine.

jobs:
  build:
    runs-on: custom-runner
    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v3
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: 'arn:aws:iam::ACCOUNT:role/github-action-test-role'
          aws-region: us-east-1
      - uses: aws-actions/amazon-ecr-login@v1
        id: ecr
        with:
          registries: 'ACCOUNT'
      - uses: docker/metadata-action@v4
        id: metadata
        with:
          images: ${{ steps.ecr.outputs.registry }}/${{ github.event.repository.name }}
      - name: debug
        run: |
          pip install awscli
          aws sts get-caller-identity # Here I get expected assumed role
      - uses: int128/kaniko-action@v1
        with:
          push: true
          tags: ${{ steps.metadata.outputs.tags }}
          labels: ${{ steps.metadata.outputs.labels }}
          cache: false

Is it an issue or something is not configured properly? Thanks