configure-aws-credentials: Error: Not authorized to perform sts:AssumeRoleWithWebIdentity
I followed this documentation to setup my OIDC provider.
OIDC trust relationship doc:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "https://github.com/my-org"
}
}
}
]
}
Added permissions to workflow:
permissions:
id-token: write
contents: read # It wasn't mentioned on the docs, without this checkout action doesn't work!
Unfortunately Github Actions doesn’t work. I’m getting:
Error: Not authorized to perform sts:AssumeRoleWithWebIdentity
What’s the fix?
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 9
- Comments: 15
Commits related to this issue
- Update AWS Policy example to make OIDC to work https://github.com/aws-actions/configure-aws-credentials/issues/318#issuecomment-1145133984 — committed to Andrew-Chen-Wang/docs by Andrew-Chen-Wang 2 years ago
- Move the sub comparison to StringEquals https://github.com/VerticalRelevance/cabana/issues/7 My last build failed with Error: Not authorized to perform sts:AssumeRoleWithWebIdentity This is a long... — committed to VerticalRelevance/cabana by douglasnaphas a year ago
Thanks, that helped me finding my issue. In my case the issue was also on the condition, I went from this
To this
Note the use of
StringLike
when using wildcards (*
).Thanks to @jigar-bhalodia for pointing out that using only a
StringLike
condition will returntrue
when checking against empty objects, reason why theStringEquals
condition is present.Hope this can help someone else!
As others suggested changing
to
works.
Change:
to:
Per that same doc you linked:
Considering you shouldn’t use
ForAllValues
by itself in Allow list, following works well.Ah I see. I definitely overlooked that part! Thank you very much.
For anyone running into this, it is case sensitive for the org name. For instance, my condition looks like:
"token.actions.githubusercontent.com:sub": "repo:BradyRyun/*",
Thanks for noting this @jigar-bhalodia, I update my last post so others follows the right path!
Hi, have the same issu
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity
OIDC trust relationship doc:
Yaml connection:
I’m still getting the same error. Adding a new identity provider didn’t help at all. Does anyone have any ideas on how to resolve or debug this?
Hey @mathix420, heads up, using
ForAllValues
by itself is dangerous because it returns true if there are no keys in the request, or if the key values resolve to a null data set, such as an empty string.Docs for reference:
that worked @mathix420 thanks! (made a PR in github docs)