terraform-aws-iam icon indicating copy to clipboard operation
terraform-aws-iam copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

OIDC assume role policy conditions appear to be incorrect

Open 6rendon opened this issue 3 years ago β€’ 0 comments

Description

When using the iam-assumable-role-with-oidc sub module (5.4.0), specifically with Github Actions and AWS, I noticed that my build was failing to authenticate with the following error:

Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements

I have previously setup an OIDC provider with the same subject and audience before inside the AWS console successfully. I noticed that the difference appears to be that the StringLike condition should be for the subjects and StringEquals should be for the audiences.

  • [x] βœ‹ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version: 5.4.0
  • Terraform version: v1.2.7
  • Provider version(s): provider registry.terraform.io/hashicorp/aws v4.31.0 provider registry.terraform.io/hashicorp/tls v4.0.3

Reproduction Code

This is an example of a correct OIDC role trust policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:sub": "repo:organization/*:*"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

I have also tested changing the following lines directly in the module to match the above and got it to work that way as well: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/v5.4.0/modules/iam-assumable-role-with-oidc/main.tf#L36 https://github.com/terraform-aws-modules/terraform-aws-iam/blob/v5.4.0/modules/iam-assumable-role-with-oidc/main.tf#L56

Steps to reproduce the behavior:

declaring subjects and audiences in the module

Expected behavior

ability to authenticate with the OIDC provider

Actual behavior

authentication fails

Terminal Output Screenshot(s)

https://imgur.com/HixRoLF

6rendon avatar Sep 23 '22 15:09 6rendon