I have set up access from Gitlab pipelines to AWS using OIDC according to the manual here: https://docs.gitlab.com/ee/ci/cloud_services/aws/
In the pipeline I retrieve session credentials with the following code:
STS=($(aws sts assume-role-with-web-identity \
--role-arn "$role_arn" \
--role-session-name "$role_session_name" \
--web-identity-token "${AWS_JWT_TOKEN}" \
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \
--output text))
As part of the pipeline I try to get ETag of a KeyValue store to update the values:
$ aws cloudfront-keyvaluestore describe-key-value-store --region us-east-1 --kvs-arn 'arn:aws:cloudfront::000000000408:key-value-store/1944XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'
And I get the following error: An error occurred (AccessDeniedException) when calling the DescribeKeyValueStore operation: Authentication failed
.
Accessing other resources in us-east-1 (CloudFront distribution, functions, ACM certficate) works fine, IAM Policy Simulator shows that all the relevant actions are allowed,
and when I assume the same role using an IAM user, everything works fine for the KeyValueStore.
What could be the problem with configuration and what tools can I use to diagnose the problem?
Thank you.