By using AWS re:Post, you agree to the Terms of Use

Questions tagged with AWS Command Line Interface

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

assume-role-with-web-identity gets invalid credentials

I am trying to use OpenID Connect authentication. I created my identity provider and am able to retrieve credentials using `aws sts assume-role-with-web-identity`, but when I try making requests with the token that comes back, I just get this error: `An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.` ## Setup ### Identity Provider - name: gitlab.com - audience: https://gitlab.com #### Trust Relationship ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::{account id}:oidc-provider/gitlab.com" }, "Action": [ "sts:AssumeRoleWithWebIdentity", "sts:TagSession" ], "Condition": { "StringLike": { "gitlab.com:sub": "project_path:{redacted}/*:ref_type:branch:ref:*" } } } ] } ``` ### Role Policy ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:GetCallerIdentity" ], "Resource": [ "*" ] }, {...excluded} ] } ``` ### Steps ``` aws sts assume-role-with-web-identity \ --role-arn arn:aws:iam::{account id}:role/app-deploy \ --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}" \ --web-identity-token $CI_JOB_JWT_V2 \ --duration-seconds 3600 >> secrets ``` ``` export AWS_ACCESS_KEY_ID="$(cat secrets | jq '.Credentials.AccessKeyId')" export AWS_SECRET_ACCESS_KEY="$(cat secrets | jq '.Credentials.SecretAccessKey')" export AWS_SESSION_TOKEN="$(cat secrets | jq '.Credentials.SessionToken')" export AWS_SECURITY_TOKEN="$AWS_SESSION_TOKEN" export AWS_DEFAULT_REGION="us-east-2" ``` The error is then thrown when running `aws sts get-caller-identity`
2
answers
0
votes
90
views
asked 2 months ago