Credentials-chaining example in readme doesn't work without role-skip-session-tagging

[fenderb]

Describe the bug

The example of credentials-chaining in the current README doesn't work as-is. If I add role-skip-session-tagging: true it works, but not sure why.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Secondary role is assumed

Current Behavior

Secondary role fails to assume.

Reproduction Steps

This workflow fails to assume the second role

name: Test AWS AssumeRole Chaining
on:
  push:
permissions:
  id-token: write
  contents: read
jobs:
  test-assume-role-chaining:
    runs-on: ubuntu-latest
    steps:
    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v4.1.0
      with:
        aws-region: us-west-2
        role-to-assume: arn:aws:iam::111111111111:role/MyOIDCRole
        role-session-name: MySessionName
    - name: Configure other AWS Credentials
      uses: aws-actions/configure-aws-credentials@v4.1.0
      with:
        aws-region: us-west-2
        role-to-assume: arn:aws:iam::222222222222:role/MyOtherRole
        role-session-name: MySessionName
        role-chaining: true
    - name: Test Credentials
      run: aws sts get-caller-identity

Possible Solution

This workflow correctly assumes the second role now that I have added role-skip-session-tagging: true. I have no idea why this particular setting matters, I discovered it while comparing to another working example from v1

name: Test AWS AssumeRole Chaining
on:
  push:
permissions:
  id-token: write
  contents: read
jobs:
  test-assume-role-chaining:
    runs-on: ubuntu-latest
    steps:
    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v4.1.0
      with:
        aws-region: us-west-2
        role-to-assume: arn:aws:iam::111111111111:role/MyOIDCRole
        role-session-name: MySessionName
    - name: Configure other AWS Credentials
      uses: aws-actions/configure-aws-credentials@v4.1.0
      with:
        aws-region: us-west-2
        role-to-assume: arn:aws:iam::222222222222:role/MyOtherRole
        role-session-name: MySessionName
        role-chaining: true
        role-skip-session-tagging: true
    - name: Test Credentials
      run: aws sts get-caller-identity

Additional Information/Context

the README example uses v4.1.0, the behavior in current v4.2.1 is identical

[richardcalahan]

I had the same issue.

My workflow was gettin stuck in an infinite loop:

Assuming role with user credentials
Assuming role with user credentials
Assuming role with user credentials
Assuming role with user credentials
...

With role-skip-session-tagging: true the problem goes away.

This action tags sessions by default, and if the role doesn't also allow sts:TagSession, it fails silently with retries.

[lehmanmj]

Hi fenderb,

richardcalahan is correct; this is happening because role-chaining (and all methods of authentication other than OIDC) will automatically attempt to add session tags; the action will fail if the first role does not have the sts:TagSession permission. This permission must be set on the Trust Relationship of the second role, like so:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/MyOIDCRole"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ]
        }
    ]
}

Alternatively, role-session-skip-tagging: true causes the first role to not to use session tags, which lets it work.

[lehmanmj]

Closing this since the readme has been updated. If you have any more problems, please let us know.

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.