Action fails if `environment` is set

[jkondratowicz]

Hi,

When environment is set for a job that uses aws-actions/configure-aws-credentials action, it fails with the following error: Error: Not authorized to perform sts:AssumeRoleWithWebIdentity

The exact same job without an environment set works correctly. My best guess is that adding environment seems to somehow change the sub on the token?

Steps to reproduce:

1. Create identity provider in AWS and a role, in my case trust policy of the role looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::000000000000:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "ForAllValues:StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:myorganization/*:ref:refs/heads/*"
                }
            }
        }
    ]
}

2. Paste role's ARN as AWS_OIDC_IAM_ROLE_ARN secret in the repository
3. Push to main branch of the repository

This is the workflow:

name: Test OIDC

on:
  push:
    branches:
      - main

jobs:
  withoutenv:
    name: Without environment set
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
      - name: Credentials 1
        uses: aws-actions/configure-aws-credentials@05b148adc31e091bafbaf404f745055d4d3bc9d2 # v1.6.1
        with:
          role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
          aws-region: eu-west-2
  withenv:
    name: With environment set
    runs-on: ubuntu-latest
    environment: dev
    permissions:
      id-token: write
    steps:
      - name: Credentials 2
        uses: aws-actions/configure-aws-credentials@05b148adc31e091bafbaf404f745055d4d3bc9d2 # v1.6.1
        with:
          role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
          aws-region: eu-west-2

Note that jobs only differ in that the second one specifies the environment (dev). The first job is successful, second one fails after retrying for ~2 minutes with error: "Error: Not authorized to perform sts:AssumeRoleWithWebIdentity".

Not sure if there's a way in AWS to debug what is the exact sub it sends on the second try?

[srodgers-awaze]

Aha, I've run into exactly the same issue, has anyone managed to find what the issue is with using environments with this action?

[jberglinds]

The token that you get when calling core.getIDToken('sts.amazonaws.com'); will look different when using environments so I don't think it's fixable from here.

To support environments you can update your trust policy on the role to assume to have a sub field that looks like this: "repo:${ github user }/${ repository }:environment:${ environment name }"

Example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::000000000000:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:jberglinds/example-repo:environment:Production"
                    ]
                }
            }
        }
    ]
}

Also supports wildcards and since it's a list you can support both refs and environments at the same time easily.

[jkondratowicz]

@jberglinds thank you very much for your answer, sorry for long silence. Unfortunately it doesn't really seem to work, I tried with a wildcard, but I still get the same error. My (very permissive for the sake of testing) trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::000000000000:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "ForAllValues:StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:MyOrg/*:ref:refs/heads/*:environment:*"
                },
                "ForAllValues:StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

... yields the same error.

[jberglinds]

@jkondratowicz You don't want both refs and environments in the same string as that will never match. If you need both refs and environments, try splitting it up using a list like in my example.

[peterwoodworth]

The sub needs to be different if an environment is set like @jberglinds has been so helpful to explain and provide examples for. See Github docs on subject claims, specifically the claim for branches says this:

The subject claim includes the branch name of the workflow, but only if the job doesn't reference an environment

You can view the definition for environments in the docs linked above, it says the same as what has been discussed in this thread 🙂

[github-actions[bot]]

⚠️Comment Visibility Warning⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.