Should this action have an explicit option for OIDC flow rather than rely on presence of webToken?

[chris-mac]

Describe the bug

When using the permission
id-token: write
It seems that that this action automatically goes down the OIDC flow
This is not always intended behaviour i.e. when using both OIDC for another action and IAM instance roles within the same job.
Looks like these lines are responsible
https://github.com/aws-actions/configure-aws-credentials/blob/main/src/assumeRole.ts#L152-L153

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Should be allowed to use both OIDC and non OIDC AWS credentials flow in same action

Current Behavior

AWS auth fails as tries to go down OIDC flow

Reproduction Steps

Create job with id-token: write when you do not want to use the OIDC flow

Possible Solution

Provide explicit OIDC option and do not reply on presence of token(option:true && webToken:true) ?

Additional Information/Context

No response

[dhirschfeld]

I can't use OIDC authentication, but my workflow needs the id-token: write permission.

AFAICT there's no way I can use this action if my workflow requires the id-token: write permission?

Is there any workaround for this? It seems a terrible idea to conflate the authentication method with a random permission assigned to the workflow. It's also insanely hard to debug when your role-to-assume config gets silently ignored because you added a permission to the top-level workflow.