aws-cli icon indicating copy to clipboard operation
aws-cli copied to clipboard
verified publisher icon aws

github actions S3 sync --exclude "*" does not work when authenticated with OIDC

Open guangyitan opened this issue 1 month ago • 3 comments

Describe the bug

name: (Reusable) Deploy Website to S3 + CloudFront with OIDC

on:
  workflow_call:
    inputs:
      environment:
        required: true
        type: string

jobs:
  deploy:
    environment: ${{ inputs.environment }}
    runs-on: ubuntu-latest
    permissions:
      id-token: write    # Required for OIDC
      contents: read

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Configure AWS credentials (OIDC)
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          aws-region: ${{ vars.AWS_REGION }}

      - name: Upload files to S3
        run: >
          aws s3 sync ./ ${{ vars.S3_PATH }} 
            --delete 
            --exclude "*"
            --include "css/*"
            --include "font/*"
            --include "icons/*"
            --include "images/*"
            --include "js/*"
            --include "robots.txt"
            --include "sitemap.xml"
            --include "404.html"
            --include "index.html"
            --include "privacy-policy.html"
            --include "terms-and-conditions.html"
            --include "terms-of-use.html"

      - name: Invalidate CloudFront cache
        run: |
          aws cloudfront create-invalidation \
            --distribution-id ${{ vars.CLOUDFRONT_DISTRIBUTION_ID }} \
            --paths "/*"

the --exclude "*" did not work when I tried authenticating with OIDC. However it works fine when using Iam access key

Regression Issue

  • [ ] Select this option if this issue appears to be a regression.

Expected Behavior

the --exclude "*" should exclude all files and folders, then with the --include command helps decide what needs to be synced.

Current Behavior

the --exclude "*" did not work when I tried authenticating with OIDC. However it works fine when using Iam access key

Reproduction Steps

connect github to aws using OIDC, then trigger the github job above

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.31.25 Python/3.13.9 Linux/6.11.0-1018-azure exe/x86_64.ubuntu.24

Environment details (OS name and version, etc.)

Ubuntu 24.04.3 LTS

guangyitan avatar Nov 06 '25 16:11 guangyitan

Hello @guangyitan, thanks for reaching out. Can you provide the full debug logs by adding --debug for using OIDC and for using IAM? Please redact any sensitive and security information. Thank you.

adev-code avatar Nov 11 '25 23:11 adev-code

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

github-actions[bot] avatar Nov 22 '25 00:11 github-actions[bot]

Hello @guangyitan, thanks for reaching out. Can you provide the full debug logs by adding --debug for using OIDC and for using IAM? Please redact any sensitive and security information. Thank you.

Hi @adev-code , sorry I'm new to github actions, particularly at where should I add --debug?

Thanks!

guangyitan avatar Nov 23 '25 12:11 guangyitan