configure-aws-credentials: Error: Not authorized to perform sts:AssumeRoleWithWebIdentity

I followed this documentation to setup my OIDC provider.

OIDC trust relationship doc:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "https://github.com/my-org"
        }
      }
    }
  ]
}

Added permissions to workflow:

permissions:
  id-token: write
  contents: read  # It wasn't mentioned on the docs, without this checkout action doesn't work!

Unfortunately Github Actions doesn’t work. I’m getting:

Error: Not authorized to perform sts:AssumeRoleWithWebIdentity

What’s the fix?

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 9
  • Comments: 15

Commits related to this issue

Most upvoted comments

Thanks, that helped me finding my issue. In my case the issue was also on the condition, I went from this

"Condition": {
    "ForAllValues:StringEquals": {
        "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com",
        "token.actions.githubusercontent.com:sub": "repo:myusername/myrepo:*",
        "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
    }
}

To this

"Condition": {
    "StringLike": {
        "token.actions.githubusercontent.com:sub": "repo:myusername/myrepo:*"
    },
    "ForAllValues:StringEquals": {
        "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com",
        "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
    }
}

Note the use of StringLike when using wildcards (*).

Thanks to @jigar-bhalodia for pointing out that using only a StringLike condition will return true when checking against empty objects, reason why the StringEquals condition is present.

Hope this can help someone else!

As others suggested changing

"StringEquals": {
          "token.actions.githubusercontent.com:aud": "https://github.com/my-org",
}

to

"StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}

works.

Change:

          "token.actions.githubusercontent.com:aud": "https://github.com/my-org"

to:

          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"

Per that same doc you linked:

For the “Audience”: Use sts.amazonaws.com if you are using the official action.

Considering you shouldn’t use ForAllValues by itself in Allow list, following works well.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:*"
                },
                "ForAllValues:StringEquals": {
                    "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com",
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Change:

          "token.actions.githubusercontent.com:aud": "https://github.com/my-org"

to:

          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"

Per that same doc you linked:

For the “Audience”: Use sts.amazonaws.com if you are using the official action.

Ah I see. I definitely overlooked that part! Thank you very much.

For anyone running into this, it is case sensitive for the org name. For instance, my condition looks like:

"token.actions.githubusercontent.com:sub": "repo:BradyRyun/*",

Thanks for noting this @jigar-bhalodia, I update my last post so others follows the right path!

Hi, have the same issu Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

OIDC trust relationship doc:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::XXXXXX:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:sub": "repo:company/repo*",
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Yaml connection:

- name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ${{ vars.AWS_REGION }}
          role-to-assume: arn:aws:iam::XXXXX:role/AmplifyGithubActionService
          role-session-name: DeployAmplify

I’m still getting the same error. Adding a new identity provider didn’t help at all. Does anyone have any ideas on how to resolve or debug this?

Thanks, that helped me finding my issue. In my case the issue was also on the condition, I went from this

"Condition": {
    "ForAllValues:StringEquals": {
        "token.actions.githubusercontent.com:sub": "repo:myusername/myrepo:*",
        "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
    }
}

To this

"Condition": {
    "ForAllValues:StringLike": {
        "token.actions.githubusercontent.com:sub": "repo:myusername/myrepo:*",
        "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
    }
}

Hope this can help someone else!

Hey @mathix420, heads up, using ForAllValues by itself is dangerous because it returns true if there are no keys in the request, or if the key values resolve to a null data set, such as an empty string.

Docs for reference:

that worked @mathix420 thanks! (made a PR in github docs)