Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

[kaykhan]

Describe the bug

Fails to assume role with OIDC.

Expected Behavior

Expect to assume the role

Current Behavior

Run aws-actions/configure-aws-credentials@v4
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

Reproduction Steps

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<ACOUNT_ID>:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:sub": "repo:<ORG>/*",
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

permissions:
  id-token: write
  contents: read
  ...
      - name: Checkout
        uses: actions/checkout@master
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::<account_id>:role/<org>-gh-actions-role
          role-session-name: cdk
          aws-region: ${{ env.AWS_REGION }}

Possible Solution

No response

Additional Information/Context

No response

[JulienAdaly]

Faced the same bug when using environment-level secrets in a job (e.g. below)

...

jobs:

  do-something:

    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    environment: production

    steps:
    - uses: actions/checkout@v4
 
   ...

When I remove the associated line (i.e. environment: production) it works fine.

[kaykhan]

I was able to resolve this changing StringEquals to StringLike

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.

[mini-ninja-64]

@kaykhan If u wanna use StringEquals, I think the JWT sub is different for environment managed workflows it does not contain refs, instead following this format:

repo:$ORG/$REPO:environment:$ENV

I guess because refs would be limited by ur github environment anyway 🤷‍♀️

[kaykhan]

@kaykhan If u wanna use StringEquals, I think the JWT sub is different for environment managed workflows it does not contain refs, instead following this format:

repo:$ORG/$REPO:environment:$ENV

I guess because refs would be limited by ur github environment anyway 🤷‍♀️

StringLike is a suitable solution for us as we don't want to explcitiy define the repostiory or environment.

[theJaxon]

I received the same error but in my case it was because i've used the organization name in all lower case.
What wasn't working: repo:thejaxon/terraform-gitops

What works:

"StringLike": {
   "token.actions.githubusercontent.com:sub":"repo:theJaxon/terraform-gitops:*"
}

Reference

[maximillianus]

I got this problem too when environment variable is defined within the jobs. I understand the solution now based on conversation above.

However I still do not understand how adding environment change something in the sub value here repo:<GitHubOrg>/<GitHubRepo>:ref:refs/heads/<GitHubBranch>