configure-aws-credentials: Could not load credentials from any providers

I have already checked related issues #202 #188 , but in my case I am not using Dependabot.

This is my pipeline.yaml truncated till this action:

name: My Deployment
on:
  push:
    branches:
      - master

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Setup node
        uses: actions/setup-node@v2
        with:
          node-version: '14'
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ap-southeast-1
          role-to-assume:arn:aws:iam::000000000000:role/github-actions-matteogioioso-saml-proxy
          role-session-name: GitHubActions
      
        ....

This is my trust relationship for that role:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::000000000:oidc-provider/vstoken.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "vstoken.actions.githubusercontent.com:sub": "repo:MatteoGioioso/saml-proxy:*"
        }
      }
    }
  ]
}

This is my OICD provider setup in IAM

image

And this is the error:

Run aws-actions/configure-aws-credentials@v1
  with:
    aws-region: ap-southeast-1
    role-to-assume: arn:aws:iam::000000000000:role/github-actions-matteogioioso-saml-proxy
    role-session-name: GitHubActions
Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers

I am not using a self-hosted runner

What am I doing wrong? Maybe the audience?

Thanks

UPDATE:

it seems like this method return false, because you do not validate credentials in the assumeRole method:

    const useGitHubOIDCProvider = () => {
        // The assumption here is that self-hosted runners won't be populating the `ACTIONS_ID_TOKEN_REQUEST_TOKEN`
        // environment variable and they won't be providing a web idenity token file or access key either.
        // V2 of the action might relax this a bit and create an explicit precedence for these so that customers
        // can provide as much info as they want and we will follow the established credential loading precedence.
        return roleToAssume && process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN && !accessKeyId && !webIdentityTokenFile
    }

honestly I cannot find a way to echo this variable ACTIONS_ID_TOKEN_REQUEST_TOKEN

UPDATE 2:

ok, this variable ACTIONS_ID_TOKEN_REQUEST_TOKEN is not set, I am not sure why is not there and also I cannot find much information about it.

I am willing to submit a PR if needed.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 19
  • Comments: 66 (8 by maintainers)

Commits related to this issue

Most upvoted comments

so i think there is an undocumented permissions thing you need to use in your workflow to get it

permissions:
  id-token: write
  contents: read

try that

+400
andiempettJISC on Sep 30, 2021

seems to be true about defining the permissions for the configuration step.

if you follow https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services it will help

I was having the same issue after pushing 20 commits to try different things it worked šŸ˜…

The steps:

  1. Configure the Identity Provider in the IAM AWS console (use the info in the link)
  2. Create a new role that includes the identity provider <---- important
  3. Define the permissions in your YAML file (like below)
  4. Add the roleā€™s ARN (not the OIDC arn) to the configuration step in the YAML
name: AWS Lambda

on:
  workflow_dispatch:
  push:
    branches: [ main ]
permissions:
      id-token: write
      contents: read
jobs:
  build:
    runs-on: ubuntu-latest
    steps:....
+15
idelfonsog2 on Jan 13, 2022

@richardhboyd ok, I saw your last commit yesterday so I have tried using aws-actions/configure-aws-credentials@master, sigstore as audience and add the permissions suggested by @androidwiltron and it is working.

I think we should implement the (2)

EDIT: minor correction in the permissions since I am using semantic-release:

permissions:
  id-token: write
  contents: write
+13
MatteoGioioso on Oct 1, 2021

GitHub have now formally released OpenID Connect

So it would be good to have a new release version now, saves having to use @master or @shaXYZ.

+10
halberom on Oct 28, 2021

If anyone needs it I wrote up a blog post on how to get it all working.

https://blog.tedivm.com/guides/2021/10/github-actions-push-to-aws-ecr-without-credentials-oidc/

+9
tedivm on Oct 31, 2021

I just got it running by having your setup, using aws-actions/configure-aws-credentials@b8c74de instead of v1/master and by adding sigstore to the list of audiences.

+9
antondalgren on Sep 30, 2021

Iā€™ve been able to reproduce this. Iā€™m working with the GitHub team to root cause it. Our plan was to use the audience sts.amazonaws.com since that indicates who you intend to hand the JWT to. It appears that the ability to set an arbitrary audience hasnā€™t reached everywhere yet. Iā€™m suggesting that we:

(1) roll this repo back to the version where the audience was hardcoded with sigstore for now

(2) I document in the repoā€™s readme the additional permissions that are needed

(3) I add a note to teh readme that this feature is still undergoing changes by GitHub

Thoughts?

+8
richardhboyd on Sep 30, 2021

One thing that is not obvious that I will leave here for anyone googling to resolve their problem is that job permissions do not individually overwrite workflow permissions, the new permissions block replaces the old permissions block. They are not merged.

This means that in this configuration:

permissions:
  id-token: write
  contents: read

jobs:
  build:
    name: build
    permissions:
      pull-requests: write

The build job will not have id-token: write nor contents: read as the effective permissions block for the job only grants pull-requests: write.

Personally I think that this perhaps might be a confusing design choice and that the job permissions should be deep merged into the workflow permissions, but this is how it works at the moment.

If your jobs have their own permissions applied, make sure to repeat id-token and contents.

+7
Zordrak on Aug 8, 2023

I solved the problem by doing the following. Thank you.

https://github.com/aws-actions/configure-aws-credentials/issues/271#issuecomment-931012696 https://github.com/aws-actions/configure-aws-credentials/issues/271#issuecomment-931272443

I blogged in Japanese.

https://dev.classmethod.jp/articles/github-actions-configure-aws-credentials-oidc/

+6
dyoshikawa on Oct 1, 2021

I donā€™t think a new release has been made since Jul 19 while OICD changes where merged two days ago. https://github.com/aws-actions/configure-aws-credentials/commit/b8c74de753fbcb4868bf2011fb2e15826ce973af

What happens if you change the version to master? uses: aws-actions/configure-aws-credentials@v1-> uses: aws-actions/configure-aws-credentials@master

+6
antondalgren on Sep 30, 2021

Iā€™m experiencing the exact same error too.

+5
dyoshikawa on Sep 30, 2021

so i think there is an undocumented permissions thing you need to use in your workflow to get it

permissions:
  id-token: write
  contents: read

try that

Saved my day. Thanks manā€¦

+4
adorDoodle on Jan 9, 2023

When will this feature be released (as it is implemented now on master branch)? Are you waiting for github to go GA with their workload OIDC?

+4
davidkarlsen on Oct 14, 2021

Hi followed all the instructions provided by GitHub and in this thread by Iā€™m still unable to load credentials.

Action YAML

name: Plan / Test On PR

on:
  pull_request:
    branches:
      - main

# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
  id-token: write
  contents: read

jobs:
  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v3

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2

      - name: Run terraform fmt check
        run: terraform fmt -check -diff -recursive

  plan_and_apply:
    name: Plan and Apply
    runs-on: ubuntu-latest

    steps:
      - name: Check out code
        uses: actions/checkout@v3

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::423779874966:role/GitHubAction # The role ARN is correct.
          aws-region: eu-west-1
      - run: aws sts get-caller-identity

Provider configuration:

Screenshot_20220613_000652

IAM Role trust configuration:

Screenshot_20220613_000635

What am I doing wrong?

EDIT: the pipeline is failing on PR from an external fork

+3
notdodo on Jun 13, 2022

thank you so much @idelfonsog2, that fixed my issue, I was using the wrong role in my configuration step of my yaml!

+3
Smarker on Jan 21, 2022

@ohad-griiip the issues is because of the AWS provider configuration. Make sure you have this at the audience: sts.amazonaws.com

IAM > Identity providers > Github_provider > Audiences > Add audience > sts.amazonaws.com

+3
msandu62 on Nov 8, 2021

Hi guys,

Still getting this error, my trust relationship:

  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::00000000000:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:ORG/REPO:*"
        }
      }
    }
  ]
}

And my github action:

jobs:
  deploy:
    name: Build and deploy backend
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ${{ env.REGION }}
          role-to-assume: arn:aws:iam::00000000000:role/git-action-deployment-user
          role-session-name: GithubActionDeployment
...

And the identity provider audiences is:

sts.amazonaws.com
https://github.com/ORG/REPO

Getting the error:

Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers

EDIT: Never mind - I got it working using aws-actions/configure-aws-credentials@master

+3
chrichts on Oct 24, 2021

@androidwiltron re: ā€œso i think there is an undocumented permissions thing you need to use in your workflow to get itā€

itā€™s documented here https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow

+2
miparnisari on Apr 5, 2023

Thank you ! that fixed it, and then Iā€™m onto https://github.com/aws-actions/configure-aws-credentials/issues/357 haha

+2
kaihendry on Jan 16, 2022

When will this feature be released (as it is implemented now on master branch)? Are you waiting for github to go GA with their workload OIDC?

It looks like this was just released yesterday in v1.6.0: https://github.com/aws-actions/configure-aws-credentials/blob/v1.6.0/CHANGELOG.md#160-2021-11-23

+2
danielcompton on Nov 24, 2021

@ahawkins change client_id_list = [ "sigstore" ] => to => client_id_list = [ "sts.amazonaws.com" ]

+2
bryantbiggs on Oct 20, 2021

a codecommit repository? the ecr-public registries are reachable from any region but you have to use the us-east-1 endpoint to retrieve your token to authenticate.

https://stackoverflow.com/questions/69274998/could-not-connect-to-the-endpoint-url-https-api-ecr-public-xxxxxxxxx-amazona

+2
richardhboyd on Oct 1, 2021

Was getting this error until I set the environment value to match the Github environment that had all the secrets

    runs-on: ubuntu-latest
    environment:
      name: production
+1
chrisFFL on Dec 11, 2022

I encountered the same issue, but @androidwiltron 's suggestion resolved it. Thanks. https://github.com/aws-actions/configure-aws-credentials/issues/271#issuecomment-931012696

+1
kv5h on Sep 23, 2022

@kaihendry A lack of this may be the cause.

https://github.com/aws-actions/configure-aws-credentials/issues/271#issuecomment-931012696

+1
dyoshikawa on Jan 8, 2022

Here is the official announcement: https://github.blog/2021-11-23-secure-deployments-openid-connect-github-actions-generally-available/

+1
CallumHibbert on Nov 25, 2021

Thatā€™s not going to work. With OIDC connections you have to have a role as part of your initial connection. This is because that role is where permission is given permission to Github to hand out tokens. Without that permission you canā€™t do anything.

After you create an IAM OIDC identity provider, you must create one or more IAM roles. A role is an identity in AWS that doesnā€™t have its own credentials (as a user does). But in this context, a role is dynamically assigned to a federated user that is authenticated by your organizationā€™s IdP. The role permits your organizationā€™s IdP to request temporary security credentials for access to AWS.

One somewhat convoluted option would be to create a role with assume role permissions on other roles, so that one can be used to switch to the other, but I honestly canā€™t see a good reason to do that. Iā€™d just create a role for each repository and then assume it directly.

Yep great itā€™s working šŸš€ thanks a lot @tedivm !

+1
ohad-griiip on Nov 8, 2021

@bryantbiggs Thank you! ā¤ļø That fixed it. Probably a good thing to call out in the docs related to #284 in a migration from v2 to v3.

+1
ahawkins on Oct 20, 2021

Seems there are more issues with master. Iā€™m using a token like:

permissions:
  id-token: write
  contents: write

And an IAM provider like:

resource "aws_iam_openid_connect_provider" "github" {
	url             = "https://token.actions.githubusercontent.com"
	client_id_list  = [ "sigstore" ]
	thumbprint_list = [ "a031c46782e6e6c662c2c87c76da9aa62ccabd8e" ]
}

data "aws_iam_policy_document" "assume_role_policy" {
	statement {
		sid     = "GrantGithubActionsAccess"
		effect  = "Allow"
		actions = [ "sts:AssumeRoleWithWebIdentity" ]
		condition {
			test     = "StringLike"
			variable = "token.actions.githubusercontent.com:sub"
			values   = [ "repo:REDACTED:*" ]
		}
		principals {
			type        = "Federated"
			identifiers = [ aws_iam_openid_connect_provider.github.id ]
		}
	}
}

This was working a few days ago. Now it errors with Incorrect token audience.

Has something changed in Github Actions itself?

EDIT: Fixed with https://github.com/aws-actions/configure-aws-credentials/issues/271#issuecomment-947983135

+1
ahawkins on Oct 20, 2021

I blogged in Japanese.

https://dev.classmethod.jp/articles/github-actions-configure-aws-credentials-oidc/

Thanks a ton, @dyoshikawa You blog saves my day.

+1
liam102 on Oct 20, 2021

@chris3ware Just checked and the web editor does this to mine as well which works - GitHub just hasnā€™t updated their validation in the editor it looks like.

+1
Phuurl on Oct 7, 2021

ecr-public is only available in us-east-1

+1
richardhboyd on Oct 1, 2021
Read more comments on GitHub
← configure-aws-credentials: aws-region does not work with secrets
configure-aws-credentials: Could not log in (please check credentials) →