Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sts:AssumeRoleWithWebIdentity Not Authorized Error #1293

Open
1 task
orilani opened this issue Feb 13, 2025 · 0 comments
Open
1 task

sts:AssumeRoleWithWebIdentity Not Authorized Error #1293

orilani opened this issue Feb 13, 2025 · 0 comments
Labels
bug Something isn't working needs-triage This issue still needs to be triaged

Comments

@orilani
Copy link

orilani commented Feb 13, 2025

Describe the bug

I'm encountering an issue when trying to use the configure-aws-credentials action to assume a role with OIDC authentication. The step fails with the following error:

Assuming role with OIDC
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

im using self hosted runner on EKS using IRSA on account A trying to assume role in account B.

Troubleshooting Steps Taken:

Verified that the IAM role exists and trust policy is correct.
Confirmed the GitHub OIDC provider is correctly set up in AWS IAM.
Confirmed that the sub and aud conditions match the expected GitHub Actions workflow.
Tried with different role-session-name values to isolate the issue.

successfully assume role from inside the runner console with aws cli, action failed.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

being able to assume role from aws account A to role in account B.

Current Behavior

Getting timeout for trying to assume role with oidc.

Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

Reproduction Steps

name: Verify Terraform Plan

on:
workflow_dispatch:
pull_request:
branches:
- main

jobs:
terraform-plan:
name: Terraform Plan
runs-on: runner-prod-tf

permissions:
  id-token: write
  contents: read

strategy:
  matrix:
    dir:
      - env: dev
        aws_account: 123123123

steps:
  - name: Checkout Repository
    uses: actions/checkout@v4

  - name: Configure AWS Credentials (Only for Dev)
    if: matrix.dir.env == 'dev'  # This step runs only in dev
    uses: aws-actions/configure-aws-credentials@v3
    with:
      role-to-assume: arn:aws:iam::${{ matrix.dir.aws_account }}:role/arc-runners-tf-${{ matrix.dir.env }}
      aws-region: eu-central-1
      role-session-name: runner-prod-tf

  - name: Verify AWS Authentication
    run: aws sts get-caller-identity

  - name: Verify Terraform in Devbox
    run: |
      devbox run which terraform
      devbox run terraform --version

  - name: Initialize Terraform
    working-directory: envs/${{ matrix.dir.env }}
    run: devbox run -- bash -c "cd $(pwd) && terraform init"

  - name: Run Terraform Plan
    working-directory: envs/${{ matrix.dir.env }}
    run: devbox run -- bash -c "cd $(pwd) && terraform plan"

Possible Solution

No response

Additional Information/Context

tried using oidc, output-credentials nothing helped
@orilani orilani added bug Something isn't working needs-triage This issue still needs to be triaged labels Feb 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs-triage This issue still needs to be triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@orilani