Description
Describe the bug
I have the following workflow job to login to AWS:
login-to-aws:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}But every time I run this workflow, I get the following error message:
Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity
I already added the necessary secret values associated with the role I created to work with GitHub Actions workflows, configured the Identity Provider following this guide, and also configured my custom role with the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<Account ID>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:Juansecu/*"
}
}
}
]
}And the following permissions policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushOnlyAccessToECR",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "*"
},
{
"Sid": "DenyOtherPermissionsToECR",
"Effect": "Deny",
"NotAction": [
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "*"
}
]
}What could be the reason of getting this error every time I run the mentioned workflow?
By the way, should the role match with the region of my ECR repository?
Regression Issue
- Select this option if this issue appears to be a regression.
Expected Behavior
I expect to get the workflow with the mentioned permissions, included sts:AssumeRoleWithWebIdentity.
Current Behavior
I get the following error message every time I run the workflow:
Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity
Reproduction Steps
-
Configure an Identity Provider for GitHub Actions following this guide
-
Create a role with the following trust and permissions policies:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<Account ID>:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" }, "StringLike": { "token.actions.githubusercontent.com:sub": "repo:Juansecu/*" } } } ] }{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPushOnlyAccessToECR", "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:CompleteLayerUpload", "ecr:GetAuthorizationToken", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart" ], "Resource": "*" }, { "Sid": "DenyOtherPermissionsToECR", "Effect": "Deny", "NotAction": [ "ecr:BatchCheckLayerAvailability", "ecr:CompleteLayerUpload", "ecr:GetAuthorizationToken", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart" ], "Resource": "*" } ] } -
Run the following workflow:
login-to-aws: runs-on: ubuntu-latest permissions: contents: read id-token: write steps: - uses: actions/checkout@v4 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ secrets.AWS_REGION }} role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
Possible Solution
No response
Additional Information/Context
No response