configure-aws-credentials
configure-aws-credentials copied to clipboard
aws-actions
Unable to use in reusable workflow: `Error: The security token included in the request is invalid.`
I have been trying to use this action in a reusable workflow. Whenever I try to I get an Error: The security token included in the request is invalid. My motivation for using the action in this way, is to be able to do the same workflow on different accounts, depending in the circumstances, such as deploying dev on push, and prod manually.
Reproduction steps:
My called (reusable) workflow looks as follows:
name: Deploy
on:
workflow_call:
inputs:
aws-region:
required: true
type: string
secrets:
AWS_ACCESS_KEY_ID:
required: true
AWS_SECRET_ACCESS_KEY:
required: true
jobs:
test:
name: Test-secrets
runs-on: ubuntu-latest
steps:
- uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ inputs.aws-region }}
And the caller workflow looks like:
name: Continous Delivery
on: push
jobs:
deploy-dev:
name: Deploy Dev
uses: ./.github/workflows/deploy.yml
with:
aws-region: eu-west-1
secrets:
AWS_ACCESS_KEY_ID: $${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
Expected behaviour
I expect the action to work as normal, like it does when used directly, ie.
name: Continous Delivery
on: push
jobs:
test-directly:
name: Test Directly on push
runs-on: ubuntu-latest
steps:
- uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
Using the action this way works just fine. That also confirms that it is not the secrets that are the issue...
Let me know if you need anything else! :)
@choffa Please let me know if you find a workaround. I am having the same issue
@jim-hill-r @drey0143143 No, I was not able to find a good workaround for this issue. We decided to accept the duplication for now.
I was having a problem with Azure credentials which seem similar to the one above. I was able to solve it following the steps at the link below: https://colinsalmcorner.com/consuming-environment-secrets-in-reusable-workflows/
In short, it suggests to have the credentials in an environments and pass the environment as a parameter by the caller workflow.
I suspect this would be due to existing credentials within the runner, or lack thereof. I'm not super experienced with reusable workflows, but I'd like it if the people running into this could check if their environment variables are populated at the time the configure-aws-credentials step runs.
If you upgrade to v3, there is now the role-chaining prop which helps avoid errors in some cases where the action is invoked multiple times. Alternately, there's the unset-current-credentials prop which clears AWS-related environment variables at the start of the step.
If there's no issue with inputs, and there's no unexpected environment variables in the runner, then I'm not sure why a composite action would be failing and would need to look more into it.
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
The project where I faced this issue has since been cancelled, so I now have no way to test @peterwoodworth 's suggestion.
In that case, please feel free to open a new issue if anyone encounters any problems on v4. thanks!
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one.