configure-aws-credentials icon indicating copy to clipboard operation
configure-aws-credentials copied to clipboard

Published 20 hours ago verified publisher icon aws-actions

Using OIDC with self-hosted AWS EC2 instance

Open peterkuiper opened this issue 2 years ago • 2 comments

I am trying to use OIDC with self-hosted AWS EC2 instances. The instances have an instance profile attached which is causing issues when configuring credentials. The role attached is being used instead of using ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL when trying to assume the role (which of course fails). Is there a way to step down the role on the EC2 instance or force this action to ignore the credentials provided by AWS to the EC2 instance?

OIDC works fine on Github hosted runners but not on my self-hosted. I am using the https://github.com/philips-labs/terraform-aws-github-runner terraform module.

peterkuiper avatar Jun 08 '22 07:06 peterkuiper

Does your GitHub workflow have the id-token: write permission?

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings

If your workflow doesn't have this permission, no token is present during the workflow run and the action will use credentials present from the environment.

jferris avatar Jun 08 '22 17:06 jferris

Hello, I'm having the same issue here and I have the parameter added to the workflow: permissions: id-token: write contents: read

bicefalo avatar Jun 13 '22 17:06 bicefalo

@bicefalo ☝🏼 look at @jferris note.

igorcosta avatar Aug 23 '22 02:08 igorcosta

Yes I saw it but that was not my problem, my problem was with the trusted policy I was adding to the role to assume. After fixing it everything went smooth.

bicefalo avatar Aug 23 '22 02:08 bicefalo

Hi guys, I'm having the same issue. I have checked my permission on the workflow and they are as follows. id-token: write contents: read @bicefalo what policy did you change?

adamlowery01 avatar Sep 09 '22 09:09 adamlowery01

Here in the line StringLike parameter I was just specifying a specific repository instead of the entire organization, obviously, that is going to depend on your needs. "StringLike": { "token.actions.githubusercontent.com:sub": "repo:<organization>/*" }

bicefalo avatar Sep 09 '22 13:09 bicefalo

This issue seems to be resolved. Please ping me or open a new issue with both the workflow file used and the error message if you are still encountering this error. Thanks!

peterwoodworth avatar Oct 10 '22 23:10 peterwoodworth

⚠️Comment Visibility Warning⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar Oct 10 '22 23:10 github-actions[bot]