Trying to use `webIdentityTokenFile` results in `Credentials could not be loaded` error

[callum-tait-pbx]

https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html

I have a setup where I need to assume a role using a web identity token, AWS CLI commands below:

aws sts assume-role-with-web-identity \
 --role-arn $AWS_ROLE_ARN \
 --role-session-name mysession \
 --web-identity-token file:///var/run/secrets/eks.amazonaws.com/serviceaccount/token \
 --duration-seconds 1000 > /tmp/irp-cred.txt

export AWS_ACCESS_KEY_ID="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.AccessKeyId")"
export AWS_SECRET_ACCESS_KEY="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.SecretAccessKey")"
export AWS_SESSION_TOKEN="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.SessionToken")"

Expected Action YAML:

    steps:
      - uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: eu-west-1
          role-to-assume: arn:aws:iam::xxxxxxxxx:role/role_name_to_assume
          web-identity-token: /var/run/secrets/eks.amazonaws.com/serviceaccount/token

The context to this is I have a pod running on a EKS cluster and EKS IRSA is not an option.

[nesta219]

@callum-tait-pbx you should now be able to use a web identity token file to assume a role : https://github.com/aws-actions/configure-aws-credentials/pull/240

[avram]

While this was implemented in #240 for EKS support, the nascent GitHub OIDC provider doesn't work properly with it.

Cribbing from https://awsteele.com/blog/2021/09/15/aws-federation-comes-to-github-actions.html, I can try this, which fails to find credentials when run.

name: ensure access
on:
  push:

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - run: |
          export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/awscreds
          echo AWS_WEB_IDENTITY_TOKEN_FILE=$AWS_WEB_IDENTITY_TOKEN_FILE >> $GITHUB_ENV
          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
      - uses: aws-actions/configure-aws-credentials@master
        with:
          role-to-assume: arn:aws:iam::0123456789:role/ExampleGithubRole
          web-identity-token-file: "${{ env.AWS_WEB_IDENTITY_TOKEN_FILE }}"
          aws-region: us-east-1
      - run: aws sts get-caller-identity

This workflow yields this error:

Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers

At the same time, it is possible to do the same thing without this action:

name: ensure access
on:
  push:

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - run: |
          export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/awscreds
          echo AWS_WEB_IDENTITY_TOKEN_FILE=$AWS_WEB_IDENTITY_TOKEN_FILE >> $GITHUB_ENV
          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
      # we have to set AWS_EC2_METADATA_DISABLED to avoid boto looking instead for IMDS (seems like a boto/cli bug?)
      - run: AWS_EC2_METADATA_DISABLED=true AWS_ROLE_ARN=arn:aws:iam::0123456789:role/ExampleGithubRole AWS_WEB_IDENTITY_TOKEN_FILE=${{ env.AWS_WEB_IDENTITY_TOKEN_FILE }} aws sts get-caller-identity

For completeness, both of these are using a GitHub OIDC provider in IAM created with Cloudformation like in the blog post:

Resources:
  GithubOidc:
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: https://vstoken.actions.githubusercontent.com
      ClientIdList: [sigstore]
      ThumbprintList: [a031c46782e6e6c662c2c87c76da9aa62ccabd8e]

[abatilo]

I don't think I understand why this is the case, but if I redundantly specify env variables that match the action input variables, then everything seems to work as expected?

- uses: aws-actions/configure-aws-credentials@8053174404968575ac1dd102dcb1109d2fe6d9ea
  env:
    AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/awscreds
    AWS_ROLE_ARN: arn:aws:iam::123412341234:role/srv_ops
    AWS_DEFAULT_REGION: us-west-2
  with:
    aws-region: us-west-2
    role-to-assume: arn:aws:iam::123412341234:role/srv_ops
    web-identity-token-file: /tmp/awscreds
    role-duration-seconds: 900

[peterwoodworth]

The original issue here has to do with supporting a new feature. I'm repurposing this issue to track the issue @avram has reported. I've found the same behavior in that trying to use this feature as documented results in error. I think I've found the reason why and I'm going to submit a PR

[peterwoodworth]

Actually - I had something slightly misconfigured. I am finding that webIdentityTokenFile works fine. However, I was running into Credentials could not be loaded when I should've been running into Web identity token file does not exist https://github.com/aws-actions/configure-aws-credentials/blob/5a4b8f03d1948e564e5e97d168d19dbbab75abf4/index.js#L104

Please ensure that your file is properly generated and exists where you're specifying it, and this should work. The error messaging will need further investigation, but is lower priority. Let me know if anyone has any leads here, thanks!

[stephenc]

https://github.com/aws-actions/configure-aws-credentials/blob/0270d0bcecaf2c76c8fbf7bf3de0d65a6d06e076/index.js#r120268191 may be relevant

[stephenc]

From my reading of the code this cannot work

[peterwoodworth]

This should be fixed in v3, let me know if it's not

[github-actions[bot]]

** Note ** Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.