configure-aws-credentials: Error object is empty breaking action

Action stopped working today, after working for multiple weeks:

    runs-on: ubuntu-20.04

    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::[REDACTED]:role/[REDACTED]
          role-duration-seconds: 3600
          aws-region: us-east-1

Error: Error message: Cannot read property 'message' of undefined

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 15
Comments: 29 (8 by maintainers)

Commits related to this issue

Most upvoted comments

We now implement a retry behavior when the getIDToken call fails in v3, so please let me know if upgrading to v3 helps with this at all.

peterwoodworth on Aug 24, 2023

I don’t think this issue is related to the fingerprints issue, this error would occur before it gets a chance to send the request to the IDP if it’s coming from the getIDToken call.

We’ve implemented the retry and backoff on the getIDToken call in the next major version, we’re working towards a release for that.

peterwoodworth on Jul 13, 2023

For now I’ve forked this repo, added some additional logging in and around the getIDToken() function and use it in our workflows and hopefully we can pinpoint the issue further. Yesterday the workflows didn’t have any issues so it’s waiting for the next incident

lkeijmel on Jun 22, 2023

I also encountered this today in a workflow that has many parallel jobs that independently authed with AWS successfully - just the one job failed. I suspect that something is being raised in run() that doesn’t produce a typical Error object.

I haven’t any information on where this is being thrown from, but have enabled ACTIONS_STEP_DEBUG in case I can catch it again.

In the meantime, perhaps the team can change the catch-all core.setFailed(error.message) call to core.setFailed(error.toString()) so that the stack trace is emitted.. Alternatively, it could be called with an Error object, since actions/toolkit/core internally calls error.toString() anyway.

Here’s my unhelpful log 😃

2023-02-13T19:43:12.0069544Z ##[group]Run <ORG-NAME>/<PRIVATE-CUSTOM-ACTION-FOR-AWS-AUTH>@v1
2023-02-13T19:43:12.0069850Z with:
2023-02-13T19:43:12.0070072Z   role-to-assume: <ROLE>
2023-02-13T19:43:12.0070295Z   account-name: <ACCOUNT-NAME>
2023-02-13T19:43:12.0070501Z   aws-region: <ACCOUNT-REGION>
2023-02-13T19:43:12.0070722Z   mask-aws-account-id: false
2023-02-13T19:43:12.0070934Z ##[endgroup]
2023-02-13T19:43:12.0301300Z ##[group]Run /home/runner/work/_actions/<ORG-NAME>/<PRIVATE-CUSTOM-ACTION-FOR-AWS-AUTH>/v1/configure.sh
2023-02-13T19:43:12.0301829Z [36;1m/home/runner/work/_actions/<ORG-NAME>/<PRIVATE-CUSTOM-ACTION-FOR-AWS-AUTH>/v1/configure.sh[0m
2023-02-13T19:43:12.0350726Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2023-02-13T19:43:12.0350996Z env:
2023-02-13T19:43:12.0351201Z   ROLE: <ROLE>
2023-02-13T19:43:12.0351424Z   ACCOUNT_NAME: <ACCOUNT-NAME>
2023-02-13T19:43:12.0351619Z ##[endgroup]
2023-02-13T19:43:12.0588288Z ##[group]Run aws-actions/configure-aws-credentials@v1-node16
2023-02-13T19:43:12.0588664Z with:
2023-02-13T19:43:12.0588951Z   role-to-assume: arn:aws:iam::<ACCOUNT-ID>:role/<ROLE>
2023-02-13T19:43:12.0589401Z   aws-region: <ACCOUNT-REGION>
2023-02-13T19:43:12.0589623Z   mask-aws-account-id: false
2023-02-13T19:43:12.0589849Z   audience: sts.amazonaws.com
2023-02-13T19:43:12.0590057Z ##[endgroup]
2023-02-13T19:43:12.2587488Z ##[error]Error message: Cannot read properties of undefined (reading 'message')

sayhiben on Feb 13, 2023

I’ve also seen this happen a couple of times today but not consistently. A search (https://github.com/aws-actions/configure-aws-credentials/search?q=message) indicates that this could be an error masking another error?

Edit: Also seeing this when assuming a role via OIDC.

sihil on Feb 28, 2022