assume-role-with-web-identity获取的凭证使用就报错

【以下的问题经过翻译处理】 我正在尝试使用 OpenID Connect 身份验证。我创建了我的身份提供者并且能够使用 aws sts assume-role-with-web-identity 收到认证，但是当我尝试使用返回的令牌发出请求时，我只收到此错误：An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

设置

Identity Provider

• name: gitlab.com
• audience: https://gitlab.com

###Trust Relationship

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::{account id}:oidc-provider/gitlab.com"
            },
            "Action": [
                "sts:AssumeRoleWithWebIdentity",
                "sts:TagSession"
            ],
            "Condition": {
                "StringLike": {
                    "gitlab.com:sub": "project_path:{redacted}/*:ref_type:branch:ref:*"
                }
            }
        }
    ]
}

Role Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity"
            ],
            "Resource": [
                "*"
            ]
        },
        {...excluded}
    ]
}

步骤

aws sts assume-role-with-web-identity \
--role-arn arn:aws:iam::{account id}:role/app-deploy \
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}" \
--web-identity-token $CI_JOB_JWT_V2 \
--duration-seconds 3600 >> secrets

export AWS_ACCESS_KEY_ID="$(cat secrets | jq '.Credentials.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(cat secrets | jq '.Credentials.SecretAccessKey')"
export AWS_SESSION_TOKEN="$(cat secrets | jq '.Credentials.SessionToken')"
export AWS_SECURITY_TOKEN="$AWS_SESSION_TOKEN"
export AWS_DEFAULT_REGION="us-east-2"

然后在运行aws sts get-caller-identity时出错。