OIDC: Can't assume role containing "github"

[bbergeron0]

Describe the bug

Just like #953, OIDC seems to break down when the IAM role contains "GitHub." The runner couldn't assume the role of "github-action-deploy-to-staging" or "test-github-cicd," but assumed the role of "deploy-to-staging" without a hic, with the only difference between these roles being their name. After finding the aforementioned issue, I gave the solution a try and it worked.

Expected Behavior

I expect it to work even if the role contains "github".

Current Behavior

In GH action logs:

Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
...
Assuming role with OIDC
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

Reproduction Steps

As I said, the role must contains "github" to fail. Here's the failing step in question; (Also, permissions.id-token = write)

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: arn:aws:iam::[redacted]:role/github-said-hi
        role-session-name: samplerolesession
        aws-region: ${{ env.AWS_REGION }}

Possible Solution

#954 suggested to "either highlighting this restricted role name in the documentation, or fixing the issue preventing use of this role name." I'd like to vote for the second option this time around ;)

Additional Information/Context

No response

[gyfchong]

Mine doesn't seem to work even without github in the role name 😢

Github action: https://github.com/gyfchong/rumblr/blob/f66285185f64529004668a8d14878bcbac4d16a6/.github/workflows/deployment.yml#L28

Failed action:
https://github.com/gyfchong/rumblr/actions/runs/9625696385/job/26550841968#step:4:24

[tim-finnigan]

This note was added to the README:

Note: Naming your role "GitHubActions" has been reported to not work. See #953.

More investigation is needed into why a role containing "github" doesn't work and what could be done about it.

[kuber-]

Had the same issue. Issue being - if the assumed role name is (in our case, it was exact match) GitHub, it fails as originally reported. Renaming the role (for example, changing to gh-oidc-role) with no other changes works. A couple of interesting things,

1. We have 3 AWS accounts and only 2 out of 3 have this issue. The third has a role name exactly GitHub and it works!
2. All three with role name GitHub were working for many months and aforementioned two stopped working around 31 july 2024!

For reference, action is invoked as follows,

uses: aws-actions/configure-aws-credentials@v4.0.2
with:
  role-to-assume: arn:aws:iam::xxxx:role/GitHub
  role-session-name: GitHub_to_AWS_via_FederatedOIDC

[rahedges]

I had the same issue:

      role-to-assume: arn:aws:iam::XXXXX:role/GitHubActionXXXXX

It was fixed by changing to role name to:

      role-to-assume: arn:aws:iam::XXXXX:role/GHAXXXXXX

[ajoman]

For anyone still facing this issue. I have used GitHubActions literally in the role name and it is working for me. The problem I was having was that I didn't add the :* at the end of the repositories allowed in the trust relationship.

This is my role ARN:

arn:aws:iam::[redacted]:role/GitHubActions

And this is the trust policy of that role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::[redacted]:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "ForAnyValue:StringLike": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:{organization}/{repository-a}:*",
                        "repo:{organization}/{repository-b}:*"
                    ]
                }
            }
        }
    ]
}

Hope this helps.

[KaranGauswami]

@ajoman’s method worked for me, even with a role name containing "github."

In addition, my issue was that I did not consider the case sensitivity in token.actions.githubusercontent.com:sub. After matching the exact casing of my username, it worked.