AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

assume-role-with-web-identity gets invalid credentials

0

I am trying to use OpenID Connect authentication. I created my identity provider and am able to retrieve credentials using aws sts assume-role-with-web-identity, but when I try making requests with the token that comes back, I just get this error: An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

Setup

Identity Provider

Trust Relationship

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::{account id}:oidc-provider/gitlab.com"
            },
            "Action": [
                "sts:AssumeRoleWithWebIdentity",
                "sts:TagSession"
            ],
            "Condition": {
                "StringLike": {
                    "gitlab.com:sub": "project_path:{redacted}/*:ref_type:branch:ref:*"
                }
            }
        }
    ]
}

Role Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity"
            ],
            "Resource": [
                "*"
            ]
        },
        {...excluded}
    ]
}

Steps

aws sts assume-role-with-web-identity \
--role-arn arn:aws:iam::{account id}:role/app-deploy \
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}" \
--web-identity-token $CI_JOB_JWT_V2 \
--duration-seconds 3600 >> secrets

export AWS_ACCESS_KEY_ID="$(cat secrets | jq '.Credentials.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(cat secrets | jq '.Credentials.SecretAccessKey')"
export AWS_SESSION_TOKEN="$(cat secrets | jq '.Credentials.SessionToken')"
export AWS_SECURITY_TOKEN="$AWS_SESSION_TOKEN"
export AWS_DEFAULT_REGION="us-east-2"

The error is then thrown when running aws sts get-caller-identity

주제
보안, 신원 및 규정 준수관리 및 거버넌스
태그
AWS 자격 증명 및 액세스 관리AWS 명령줄 인터페이스IAM 정책
언어
English
wf-chansen
질문됨 2년 전3533회 조회
2개 답변
0
수락된 답변

Hello,

The problem is the jq config, you need to add --raw-output flag like this:

export AWS_ACCESS_KEY_ID="$(cat secrets | jq '.Credentials.AccessKeyId' --raw-output)"
export AWS_SECRET_ACCESS_KEY="$(cat secrets | jq '.Credentials.SecretAccessKey' --raw-output)"
export AWS_SESSION_TOKEN="$(cat secrets | jq '.Credentials.SessionToken' --raw-output)"

Otherwise, the environment variables get wrapped in "" which does not work.

Hope it helps!

//Carl

profile picture
Carl Ostrand
답변함 2년 전
0

Hello,

Errors like these could be due to issues with things like environment variables or ~/.aws/credentials conflicting in weird ways with IAM instance profiles. The cleanest test would be to unset the relevant environment variables first:

$ for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN ; do eval unset $var ; done

and also ensure that you have nothing in ~/.aws/config or ~/.aws/credentials, then rerun the test.

Let me know if this helps and what was the result by clicking Accept answer.

profile pictureAWS
지원 엔지니어
Chirag_R
답변함 2년 전
  • wf-chansen
    2년 전

    Sorry I should clarify. This is running in a CI build so it always starts from a clean slate. I've tried using both the environment variables, and using aws configure set key value to set them, and both give the same results.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠