Could not load credentials from any providers

[MatteoGioioso]

I have already checked related issues #202 #188 , but in my case I am not using Dependabot.

This is my pipeline.yaml truncated till this action:

name: My Deployment
on:
  push:
    branches:
      - master

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Setup node
        uses: actions/setup-node@v2
        with:
          node-version: '14'
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ap-southeast-1
          role-to-assume:arn:aws:iam::000000000000:role/github-actions-matteogioioso-saml-proxy
          role-session-name: GitHubActions
      
        ....

This is my trust relationship for that role:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::000000000:oidc-provider/vstoken.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "vstoken.actions.githubusercontent.com:sub": "repo:MatteoGioioso/saml-proxy:*"
        }
      }
    }
  ]
}

This is my OICD provider setup in IAM

And this is the error:

Run aws-actions/configure-aws-credentials@v1
  with:
    aws-region: ap-southeast-1
    role-to-assume: arn:aws:iam::000000000000:role/github-actions-matteogioioso-saml-proxy
    role-session-name: GitHubActions
Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers

I am not using a self-hosted runner

What am I doing wrong? Maybe the audience?

Thanks

UPDATE:

it seems like this method return false, because you do not validate credentials in the assumeRole method:

    const useGitHubOIDCProvider = () => {
        // The assumption here is that self-hosted runners won't be populating the `ACTIONS_ID_TOKEN_REQUEST_TOKEN`
        // environment variable and they won't be providing a web idenity token file or access key either.
        // V2 of the action might relax this a bit and create an explicit precedence for these so that customers
        // can provide as much info as they want and we will follow the established credential loading precedence.
        return roleToAssume && process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN && !accessKeyId && !webIdentityTokenFile
    }

honestly I cannot find a way to echo this variable ACTIONS_ID_TOKEN_REQUEST_TOKEN

UPDATE 2:

ok, this variable ACTIONS_ID_TOKEN_REQUEST_TOKEN is not set, I am not sure why is not there and also I cannot find much information about it.

I am willing to submit a PR if needed.

[andiempettJISC]

so i think there is an undocumented permissions thing you need to use in your workflow to get it

permissions:
  id-token: write
  contents: read

try that

[antondalgren]

I don't think a new release has been made since Jul 19 while OICD changes where merged two days ago. https://github.com/aws-actions/configure-aws-credentials/commit/b8c74de753fbcb4868bf2011fb2e15826ce973af

What happens if you change the version to master? uses: aws-actions/configure-aws-credentials@v1-> uses: aws-actions/configure-aws-credentials@master

[dyoshikawa]

I'm experiencing the exact same error too.

[antondalgren]

I just got it running by having your setup, using aws-actions/configure-aws-credentials@b8c74de instead of v1/master and by adding sigstore to the list of audiences.

[richardhboyd]

I'm looking into this now. We used 'sigstore' in an earlier version while we were testing the action.

[richardhboyd]

What happens if you use aws-actions/configure-aws-credentials@20ce4e5?

[richardhboyd]

I've been able to reproduce this. I'm working with the GitHub team to root cause it. Our plan was to use the audience sts.amazonaws.com since that indicates who you intend to hand the JWT to. It appears that the ability to set an arbitrary audience hasn't reached everywhere yet. I'm suggesting that we:

(1) roll this repo back to the version where the audience was hardcoded with sigstore for now

(2) I document in the repo's readme the additional permissions that are needed

(3) I add a note to teh readme that this feature is still undergoing changes by GitHub

Thoughts?

[MatteoGioioso]

@richardhboyd ok, I saw your last commit yesterday so I have tried using aws-actions/configure-aws-credentials@master, sigstore as audience and add the permissions suggested by @androidwiltron and it is working.

I think we should implement the (2)

EDIT: minor correction in the permissions since I am using semantic-release:

permissions:
  id-token: write
  contents: write

[MatteoGioioso]

I am not sure this is related to this action, but now I have the following error:

UnknownEndpoint: Inaccessible host: `api.ecr-public.ap-southeast-1.amazonaws.com' at port `undefined'. This service may not be available in the `ap-southeast-1' region

  - name: Run deployment script
    run: node pipeline.js

This is the shortened content of the script, is the point where it fails:

const AWS = require("aws-sdk");
const ecr = new AWS.ECRPUBLIC({
  region: process.env.AWS_REGION,
  apiVersion: '2020-10-30'
})

await ecr.getAuthorizationToken().promise();

I have tried by specifying the endpoint since ecr-public does not exit, but then I have this other error:

InternalFailure: null
    at Request.extractError (/home/runner/work/saml-proxy/saml-proxy/node_modules/aws-sdk/lib/protocol/json.js:52:27)
    at Request.callListeners (/home/runner/work/saml-proxy/saml-proxy/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/home/runner/work/saml-proxy/saml-proxy/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/home/runner/work/saml-proxy/saml-proxy/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/home/runner/work/saml-proxy/saml-proxy/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/runner/work/saml-proxy/saml-proxy/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/runner/work/saml-proxy/saml-proxy/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/runner/work/saml-proxy/saml-proxy/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/runner/work/saml-proxy/saml-proxy/node_modules/aws-sdk/lib/request.js:690:12)
    at Request.callListeners (/home/runner/work/saml-proxy/saml-proxy/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  code: 'InternalFailure',
  time: 2021-10-01T01:44:42.290Z,
  requestId: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
  statusCode: 500,
  retryable: true
}

I have similar setup on Codepipeline/Codebuild using similar role and there is working.

[richardhboyd]

ecr-public is only available in us-east-1

[MatteoGioioso]

oh, I see, thanks. It confused me because I have a repository in the Singapore region.

[richardhboyd]

a codecommit repository? the ecr-public registries are reachable from any region but you have to use the us-east-1 endpoint to retrieve your token to authenticate.

https://stackoverflow.com/questions/69274998/could-not-connect-to-the-endpoint-url-https-api-ecr-public-xxxxxxxxx-amazona

[MatteoGioioso]

ECR repository.

reachable from any region but you have to use the us-east-1 endpoint

I see, many thanks for the clarification

[dyoshikawa]

I solved the problem by doing the following. Thank you.

https://github.com/aws-actions/configure-aws-credentials/issues/271#issuecomment-931012696 https://github.com/aws-actions/configure-aws-credentials/issues/271#issuecomment-931272443

I blogged in Japanese.

https://dev.classmethod.jp/articles/github-actions-configure-aws-credentials-oidc/

[IMKnysh]

I tried to use ExternalId and got an error: Error: Unexpected key 'ExternalId' found in params

Can I use ExternalId with OICD provider?

[richardhboyd]

no

[benkehoe]

You cannot use ExternalId with AssumeRoleWithWebIdentity (API docs). What may suffice is to have your trust policy conditioned on the "sub" claim, as shown here:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::000000000:oidc-provider/vstoken.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "vstoken.actions.githubusercontent.com:sub": "repo:MatteoGioioso/saml-proxy:*"
        }
      }
    }
  ]
}

this claim is set by GitHub and cannot be changed by the user, so you can trust it to indicate the source. It's not quite the same as ExternalId; in particular, it doesn't fully solve the confused deputy problem, because there's no way to check if the role your assuming has such a condition or not.

[ahawkins]

https://github.com/aws-actions/configure-aws-credentials/issues/271#issuecomment-931805471 worked for me.

[chris3ware]

@richardhboyd ok, I saw your last commit yesterday so I have tried using aws-actions/configure-aws-credentials@master, sigstore as audience and add the permissions suggested by @androidwiltron and it is working.

I think we should implement the (2)

EDIT: minor correction in the permissions since I am using semantic-release:

permissions:
  id-token: write
  contents: write

My action.yml file has an error for the id-token. It's configured like this:

jobs:
  deploy:
    name: Deploy
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
      id-token: write

id-token is underlined with a red line and the message states: Unknown Key

[Phuurl]

@chris3ware Just checked and the web editor does this to mine as well which works - GitHub just hasn't updated their validation in the editor it looks like.

[eran-medan]

@richardhboyd ok, I saw your last commit yesterday so I have tried using aws-actions/configure-aws-credentials@master, sigstore as audience and add the permissions suggested by @androidwiltron and it is working.

I think we should implement the (2)

EDIT: minor correction in the permissions since I am using semantic-release:

permissions:
  id-token: write
  contents: write

I tried it but got: Error: No OpenIDConnect provider found in your account for https://token.actions.githubusercontent.com

It seems it's looking now for https://token.actions.githubusercontent.com instead of https://vstoken.actions.githubusercontent.com

So I created a new OIDC provider in IAM (and updated the trust policies as needed) it worked (together with @master and the id-token permission, not sure which of them did the trick)

[davidkarlsen]

When will this feature be released (as it is implemented now on master branch)? Are you waiting for github to go GA with their workload OIDC?

[liam102]

I blogged in Japanese.

https://dev.classmethod.jp/articles/github-actions-configure-aws-credentials-oidc/

Thanks a ton, @dyoshikawa You blog saves my day.

[ahawkins]

Seems there are more issues with master. I'm using a token like:

permissions:
  id-token: write
  contents: write

And an IAM provider like:

resource "aws_iam_openid_connect_provider" "github" {
	url             = "https://token.actions.githubusercontent.com"
	client_id_list  = [ "sigstore" ]
	thumbprint_list = [ "a031c46782e6e6c662c2c87c76da9aa62ccabd8e" ]
}

data "aws_iam_policy_document" "assume_role_policy" {
	statement {
		sid     = "GrantGithubActionsAccess"
		effect  = "Allow"
		actions = [ "sts:AssumeRoleWithWebIdentity" ]
		condition {
			test     = "StringLike"
			variable = "token.actions.githubusercontent.com:sub"
			values   = [ "repo:REDACTED:*" ]
		}
		principals {
			type        = "Federated"
			identifiers = [ aws_iam_openid_connect_provider.github.id ]
		}
	}
}

This was working a few days ago. Now it errors with Incorrect token audience.

Has something changed in Github Actions itself?

EDIT: Fixed with https://github.com/aws-actions/configure-aws-credentials/issues/271#issuecomment-947983135

[bryantbiggs]

@ahawkins change client_id_list = [ "sigstore" ] => to => client_id_list = [ "sts.amazonaws.com" ]

[ahawkins]

@bryantbiggs Thank you! <3 That fixed it. Probably a good thing to call out in the docs related to #284 in a migration from v2 to v3.

[chrichts]

Hi guys,

Still getting this error, my trust relationship:

  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::00000000000:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:ORG/REPO:*"
        }
      }
    }
  ]
}

And my github action:

jobs:
  deploy:
    name: Build and deploy backend
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ${{ env.REGION }}
          role-to-assume: arn:aws:iam::00000000000:role/git-action-deployment-user
          role-session-name: GithubActionDeployment
...

And the identity provider audiences is:

sts.amazonaws.com
https://github.com/ORG/REPO

Getting the error:

Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers

EDIT: Never mind - I got it working using aws-actions/configure-aws-credentials@master

[halberom]

GitHub have now formally released OpenID Connect

• https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/ and
• https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

So it would be good to have a new release version now, saves having to use @master or @shaXYZ.

[bryantbiggs]

this is awesome! whoever is watching - thank you all for this effort, it really cleans up a lot of manual overhead of managing static creds for CI/CD processes 🙌🏽 ❤️

[tedivm]

I just got this working (thanks to everyone in this ticket for help!) and it really is awesome.