configure-aws-credentials
configure-aws-credentials copied to clipboard
aws-actions
Assume role throws an unauthorized error and it shouldn't
Issue
When I add the role-to-assume arg in my step for aws-actions/configure-aws-credentials@v1, I get the following error:
Error: User: arn:aws:iam::***:user/[IAMUSERNAME] is not authorized to perform: sts:TagSession on resource: ***
but I have not passed it a session name to use, which based on the CLI output is required. I tried adding in the session name and got the same error.
Reproduction steps
Use the following commands in a github pipeline to reproduce issue:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.APPID }}
aws-secret-access-key: ${{ secrets.APPSECRET }}
aws-region: ${{ secrets.REGION }}
role-session-name: GitHubPipeline
role-to-assume: ${{ secrets.DEV_ROLE }}
To prove that its not a permission issue:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.APPID }}
aws-secret-access-key: ${{ secrets.APPSECRET }}
aws-region: ${{ secrets.REGION }}
- name: Debug
run: |
aws sts assume-role --role-arn ${{ secrets.DEV_ROLE }} --role-session-name GitHubPipeline
Hello everyone,
I am facing the same issue, is there any news about it ?
I want to add that when I add the role-skip-session-tagging: true , I reach a timeout.
Have a nice day
Hi. Was facing the same issue and fixed it. Check this answer https://stackoverflow.com/a/70011629/4116593 and its comments. Steps to fix:
- Trust Relationship on role that is being assumed
- Set
role-duration-seconds: 1200if you run into: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.
Thanks @SergeyKubrak for helping out here, you're exactly right. The role needs to have sts:TagSession in its trust relationships.
If this doesn't fix the issue for anyone, let me know. Thanks!
Can we please revisit this error because I'm experiencing this exact problem using v2. I've added the sts:TagSession on the role but to no avail.
I don’t know wtf this is please take me off I do not know what GitHub is. I’ve been hacked
On Wed, May 10, 2023 at 3:02 AM, Adrian Ng @.***> wrote:
Can we please revisit this error because I'm experiencing this exact problem using v2. I've added the sts:TagSession on the role but to no avail.
— Reply to this email directly, view it on GitHub https://github.com/aws-actions/configure-aws-credentials/issues/465#issuecomment-1541456804, or unsubscribe https://github.com/notifications/unsubscribe-auth/A6MN6OQJZVRFKPZYXT7S5J3XFM4QRANCNFSM52N7S3YA . You are receiving this because you are subscribed to this thread.Message ID: @.*** com>
Hi @Blacknight1260. As I've mentioned before, please take these concerns to AWS Support. We are unable to help you for these specific things over GitHub.
If you are having trouble with GitHub as a platform, you need to reach out to GitHub. If you need to unsubscribe from a GitHub thread, you will find your subscription settings at https://github.com/settings/notifications
Can we please revisit this error because I'm experiencing this exact problem using v2. I've added the
sts:TagSessionon the role but to no avail.
Apologies for this, I stupidly put that permission on the trust policy not on the policy to assume the role.