By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

assume-role-with-web-identity gets invalid credentials

0

I am trying to use OpenID Connect authentication. I created my identity provider and am able to retrieve credentials using aws sts assume-role-with-web-identity, but when I try making requests with the token that comes back, I just get this error: An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

Setup

Identity Provider

Trust Relationship

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::{account id}:oidc-provider/gitlab.com"
            },
            "Action": [
                "sts:AssumeRoleWithWebIdentity",
                "sts:TagSession"
            ],
            "Condition": {
                "StringLike": {
                    "gitlab.com:sub": "project_path:{redacted}/*:ref_type:branch:ref:*"
                }
            }
        }
    ]
}

Role Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity"
            ],
            "Resource": [
                "*"
            ]
        },
        {...excluded}
    ]
}

Steps

aws sts assume-role-with-web-identity \
--role-arn arn:aws:iam::{account id}:role/app-deploy \
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}" \
--web-identity-token $CI_JOB_JWT_V2 \
--duration-seconds 3600 >> secrets

export AWS_ACCESS_KEY_ID="$(cat secrets | jq '.Credentials.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(cat secrets | jq '.Credentials.SecretAccessKey')"
export AWS_SESSION_TOKEN="$(cat secrets | jq '.Credentials.SessionToken')"
export AWS_SECURITY_TOKEN="$AWS_SESSION_TOKEN"
export AWS_DEFAULT_REGION="us-east-2"

The error is then thrown when running aws sts get-caller-identity

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Command Line InterfaceIAM Policies
Language
English
wf-chansen
asked 2 years ago3491 views
2 Answers
0
Accepted Answer

Hello,

The problem is the jq config, you need to add --raw-output flag like this:

export AWS_ACCESS_KEY_ID="$(cat secrets | jq '.Credentials.AccessKeyId' --raw-output)"
export AWS_SECRET_ACCESS_KEY="$(cat secrets | jq '.Credentials.SecretAccessKey' --raw-output)"
export AWS_SESSION_TOKEN="$(cat secrets | jq '.Credentials.SessionToken' --raw-output)"

Otherwise, the environment variables get wrapped in "" which does not work.

Hope it helps!

//Carl

profile picture
Carl Ostrand
answered 2 years ago
0

Hello,

Errors like these could be due to issues with things like environment variables or ~/.aws/credentials conflicting in weird ways with IAM instance profiles. The cleanest test would be to unset the relevant environment variables first:

$ for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN ; do eval unset $var ; done

and also ensure that you have nothing in ~/.aws/config or ~/.aws/credentials, then rerun the test.

Let me know if this helps and what was the result by clicking Accept answer.

profile pictureAWS
SUPPORT ENGINEER
Chirag_R
answered 2 years ago
  • wf-chansen
    2 years ago

    Sorry I should clarify. This is running in a CI build so it always starts from a clean slate. I've tried using both the environment variables, and using aws configure set key value to set them, and both give the same results.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content