configure-aws-credentials icon indicating copy to clipboard operation
configure-aws-credentials copied to clipboard

Published 20 hours ago verified publisher icon aws-actions

Instance profile assume Role issue

Open abhisharma-mcd opened this issue 2 years ago • 2 comments

Hi, I'm using this action in a workflow which is running on a self-hosted runner. Runner is configured on AWS EC2 instance which has instance profile attached. When I run the worklfow, I'm getting below issue :-

image

As you can see, instance profile that is attached to runner server is trying to assume the role that is passed to the action instead of Access and Secret key of user.

Below is the workflow code :-

name: 'est worklfow'
on: 
  workflow_dispatch:
jobs: 
  test-job:
    runs-on: self-hosted
    steps:
      - uses: actions/checkout@v1
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY_ID }}
          aws-region: us-east-1
          role-to-assume: arn:aws:iam::111111111111:role/TEST_ROLE
          role-duration-seconds: 1200
          role-skip-session-tagging: true
      
      - name: Check S3 access
        run: aws s3 ls

Any idea why is it happening and how to fix it?

abhisharma-mcd avatar Feb 09 '22 12:02 abhisharma-mcd

I've been seeing this intermittently also, but not sure why

abatilo avatar Feb 11 '22 03:02 abatilo

I'm having the same issue. Could the aws-access-key-id have precedence over the IAM role?

dnascimento avatar Oct 05 '22 04:10 dnascimento

Hey @abhisharma-mcd Try setting the correct permissions for the job: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings

This fixed this issue for me

YorickH avatar Nov 22 '22 07:11 YorickH

It appears the workflow code pasted, and the screenshot differ in terms of configuration. Is this being attempted with OIDC, or with regular AssumeRole?

peterwoodworth avatar May 11 '23 23:05 peterwoodworth

If you have this part in your job,

permissions:
  id-token: write

GH Actions runners think that you are using ODIC ( Even if it is not true) and you cannot assume a role.

Fix - remove "permissions for token"

shulyakav avatar May 12 '23 02:05 shulyakav

This action shouldn't attempt to use OIDC if you have properly setup your inputs https://github.com/aws-actions/configure-aws-credentials#assuming-a-role

peterwoodworth avatar May 12 '23 02:05 peterwoodworth

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

github-actions[bot] avatar May 17 '23 04:05 github-actions[bot]