Supplying AWS creds but still getting missing username warning

[bagedevimo]

When running this action after the aws-actions/configure-aws-credentials action, variables are set but the docker-build-with-cache-action doesn't seem to be detecting them? Possibly because i'm using OIDC login so i'm not explicitly setting those variables?

      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: ${{ secrets.ECR_IAM_ROLE_TO_ASSUME }}
        aws-region: ap-southeast-2

Output:

Run whoan/[email protected]
  with:
    registry: 224854405218.dkr.ecr.ap-southeast-2.amazonaws.com/delivereasy/core
    image_name: some-build
    image_tag: d75c5b8136235f61cc692f96c1e5b7914566a3c5
    services_regex: .+
    context: .
    dockerfile: Dockerfile
    push_image_and_stages: true
    push_git_tag: false
    pull_image_and_stages: true
  env:
    AWS_DEFAULT_REGION: ap-southeast-2
    AWS_REGION: ap-southeast-2
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_SESSION_TOKEN: ***

[ricky-sb]

I'm also experiencing this - using OIDC. Did you ever find a fix for this?

[whoan]

I'll have to take a look as I have not tested this scenario. First of all, have you set id-token: write permission as mentioned in the OIDC docs?

NVM. Again, I'll have to take a look. No much time lately though.

---

Update:

Can someone please test this?

- uses: aws-actions/configure-aws-credentials@v4
  id: creds
  ...

- uses: whoan/docker-build-with-cache-action@v8
  with:
    username: "${{ steps.creds.outputs.aws-access-key-id }}"
    password: "${{ steps.creds.outputs.aws-secret-access-key }}"
    session: "${{ steps.creds.outputs.aws-session-token }}"
    ...

I've taken it from here https://github.com/aws-actions/configure-aws-credentials#retrieving-credentials-from-step-output-assumerole-with-temporary-credentials

[bagedevimo]

Unfortunately that didn't seem to work:

Run aws-actions/configure-aws-credentials@v4
Assuming role with OIDC
Authenticated as assumedRoleId

my yml has:

    - name: Configure AWS creds
      uses: aws-actions/configure-aws-credentials@v4
      id: creds
      with:
        role-to-assume: ${{ secrets.ECR_IAM_ROLE_TO_ASSUME }}
        aws-region: ap-southeast-2
    - name: "Build the image and cache"
      uses: whoan/docker-build-with-cache-action@v8
      with:
        username: "${{ steps.creds.outputs.aws-access-key-id }}"
        password: "${{ steps.creds.outputs.aws-secret-key-id }}"
        session: "${{ steps.creds.outputs.aws-session-token }}"
        registry: <a-registry-ref>
        image_name: "some-build"
        image_tag: "${{ github.sha }}"

[bagedevimo]

ah, just spotted the typo there - fixing and trying again.

[bagedevimo]

with those typos fixed, it still fails, here's some debug logs:

partially cropped to preserve IDs that aren't really sensitive but i'm paranoid

[bagedevimo]

I've just noticed this, have I just forgotten some key somewhere?

[whoan]

@bagedevimo According to configure-aws-credentials docs, when you use OIDC, you need to set an audience as an input: https://github.com/aws-actions/configure-aws-credentials#OIDC

[bagedevimo]

that same link says there is a default audience (which should be correct for our partition) and it does seem that the login is working fine on the AWS task - just not picking up the credentials in the build and push step.

[whoan]

@bagedevimo Will have to write a test to play with it. Give me some time for that. Feel free to keep on trying and suggest a solution also. I am pretty sure it should be possible to solve through configs.

Thanks for bringing this up.