By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Issue with Assuming Role in AWS using GitHub Actions: 'Not authorized to perform sts ' Error

0

Hi Guys,

I have an AWS organization with multiple accounts: dev, staging, and prod. My application code is in GitHub, and I use GitHub Actions for deployment. I created a GitHub IdP in one account and set up a role with the following trust relationship:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::xxxxxxxx:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:orgname/*"
                }
            }
        }
    ]
}

In each account, I created a role with a trust relationship with the above-created role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/github"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

However, when I run my GitHub Action, I get the following error: Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity Here is my GitHub Action configuration:

name: Build Image
runs-on: ubuntu-latest
permissions:
  id-token: write
  contents: read
steps:
  - name: Check out code
    uses: actions/checkout@v3

  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v3
    with:
      aws-region: ${{ secrets.AWS_REGION }}
      role-to-assume: ${{ secrets.AWS_ROLE }}

Can anyone help me understand what might be wrong and how to fix this issue?

asked 4 months ago875 views
4 Answers
0

Hi,

Did you properly respect the uppercase / lowercase for the orgname in your conditions ? it's case sensitive.

Best,

Didier

profile pictureAWS
EXPERT
answered 4 months ago
  • yes, I write my organization name with uppercase and lowercase how writed in github

0

Hello.

"AWS": "arn:aws:iam::xxxxx:role/github"

According to your description, Does your role name contain github?

I saw #1093 OIDC: Can't assume role containing "github" and #953 If the assumed role name is GitHubActions the action will fail with a non specific error in aws-actions/configure-aws-credentials. There seems to be a problem with the role name containing github.

Maybe you can try to change an unrelated role name and try not to include github or action.

answered 4 months ago
0

I tried two suggestions, but they didn't help

answered 4 months ago
0

I found that your method here seems a little different from aws-actions/configure-aws-credentials

                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:orgname/*"
                }

In aws-actions/configure-aws-credentials, it is written like this:

              StringLike:
                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*

So could you try to modify your policy to the following format:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::xxxxxxxx:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:orgname/*:*"
                }
            }
        }
    ]
}
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions