Assume Role with OIDC with more than 1 hour

[amit-disc]

Hi,

I am using OIDC provider to assume a role with maximum duration set to 8 hours. I use role-duration-seconds: 21600 but the credentials expire after 1 hour.

Is it limited to 1 hour?

[christopher-dG]

This seems like a bug on GitHub's end.

A simple repro is something like this:

- uses: aws-actions/configure-aws-credentials@v1
  with:
    region: ***
    role-to-assume: arn:aws:iam::***role/***
- run: aws sts get-caller-identity
- run: sleep 61m
- run: aws sts get-caller-identity

The second call will fail with ExpiredToken.

You can also observe that trying to refresh credentials results in the exact same credentials being given back, e.g. with AWS.jl:

using AWS
config = global_aws_config()
@show config.credentials.expiry
sleep(5)
check_credentials(config.credentials; force_refresh=true)
@show config.credentials.expiry

In an EKS K8s pod with IAM roles via service accounts, the expiry will be updated, as it actually gets new credentials from the EKS provider. Running the same code in an Action where the credentials come from the GH provider results in no new credentials, even after they've expired.

[christopher-dG]

After some further investigation, I think I know the root cause: this action sets credentials as environment variables, and doesn't leave any breadcrumbs for SDKs in future steps to refresh them. When assuming a role via OIDC, it should be saving the WebIdentity token and exporting its path as AWS_WEB_IDENTITY_TOKEN_FILE. Then, SDKs can fetch credentials and refresh them properly using that file.

Barring error handling/setting the value as secret/properly exporting the variable to future steps, actually getting the token is just:

export AWS_ROLE_ARN="arn:aws:iam::$AWS_ACCOUNT:role/$AWS_ROLE"  # set $AWS_ACCOUNT and $AWS_ROLE yourself
export AWS_WEB_IDENTITY_TOKEN_FILE="$(mktemp)"
curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r .value > "$AWS_WEB_IDENTITY_TOKEN_FILE"

[christopher-dG]

Ha, just realized that the default session duration for OIDC is 1 hour not 6, it's right in the README. So just make sure your role has a long max session duration and then set role-session-duration in this action and you can have the session last more than an hour. The credentials still won't refresh though.

edit: oops, just re-read the original issue contents, looks like you've already done that

[peterwoodworth]

I'm not able to reproduce this even when using the simple sleep 61m repro. I recommend double checking that your role itself has a higher maximum duration than 1 hour, and that you've correctly set the inputs for this action.

Thanks for creating #359 @christopher-dG, it may be the source of the issue. Think we can close this and track that issue instead. If anyone has any reason to believe these are separate issues, ping me and I can look into it

[github-actions[bot]]

⚠️Comment Visibility Warning⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.