- Newest
- Most votes
- Most comments
Hi,
Did you properly respect the uppercase / lowercase for the orgname in your conditions ? it's case sensitive.
Best,
Didier
Hello.
"AWS": "arn:aws:iam::xxxxx:role/github"
According to your description, Does your role name contain github?
I saw #1093 OIDC: Can't assume role containing "github" and #953 If the assumed role name is GitHubActions the action will fail with a non specific error in aws-actions/configure-aws-credentials. There seems to be a problem with the role name containing github.
Maybe you can try to change an unrelated role name and try not to include github or action.
I found that your method here seems a little different from aws-actions/configure-aws-credentials
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:orgname/*"
}
In aws-actions/configure-aws-credentials, it is written like this:
StringLike:
token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
So could you try to modify your policy to the following format:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::xxxxxxxx:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:orgname/*:*"
}
}
}
]
}
Relevant content
- asked 3 years ago
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 24 days ago
yes, I write my organization name with uppercase and lowercase how writed in github