configure-aws-credentials: Error: The security token included in the request is invalid - when AWS key/secret changes between GHA jobs

Hi,

My workflow - for purposes of testing - looks like this:

name: devops
on:
  workflow_dispatch:
jobs:
  devops1:
    runs-on: ubuntu-latest
    steps:
      - uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID}}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: eu-west-2
      - run: aws s3 ls 
      - run: sleep 60
  devops2:
    runs-on: ubuntu-latest
    needs: devops1
    steps:
      - uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: eu-west-2
      - run: aws s3 ls

While devops1 is in the 60 second sleep, I generate a new AWS access key and secret and put these into GitHub Secrets.

When devops2 runs I get this error:

Run aws-actions/configure-aws-credentials@v1
  with:
    aws-access-key-id: ***
    aws-secret-access-key: ***
    aws-region: eu-west-2
Error: The security token included in the request is invalid.

This may seem like an odd thing to be doing, but the reason is that my actual workflow (not this test workflow) is rotating AWS access keys and pushing them to GitHub secrets. I have one AWS key that I rotate first, and then the other keys are rotated using this key. But this fails due to the error as above.

It looks like a token is left from the previous key, and the new key then fails due to this old token.

Is there a way to clear the old token?

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 14
Comments: 18 (1 by maintainers)

Most upvoted comments

I’m facing the same issue even with a much simpler setup…

      - name: Configure AWS CLI
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.TEST_AWS_SECRET_ACCESS_KEY }}
          aws-region: eu-central-1

+27

ghost on Sep 19, 2022

I added the secrets.AWS_SESSION_TOKEN in the repository secrets, and it worked. At the least for my testing needs:

  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v1
    with:
      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
      aws-region: eu-central-1

worked for me too

samashtidevshukla on May 17, 2023

I added the secrets.AWS_SESSION_TOKEN in the repository secrets, and it worked. At the least for my testing needs:

  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v1
    with:
      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
      aws-region: eu-central-1

MaxwellEnemuo on Apr 24, 2023

bro you saved my life 😃 thats crazy with this naming and error message saying nothin

maciejbak85 on May 11, 2023

@grudelsud Then it works correctly, since it did not reuse your prior credentials. Now you need to fix input arguments in the with: object, since they are wrong and you’re done.

rjeczalik on Jan 14, 2023

hey @rjeczalik thanks for your reply

I had actually tried to set it as suggested, but I get this error from the runner when running the “aws configure credentials” step:

Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers

grudelsud on Jan 15, 2023

I was able to assume a different role by setting AWS env vars to null:

jobs:
  foo:
    runs-on: ubuntu-latest
    name: foo-build
    steps:
      - name: Configure AWS credentials
        id: aws_credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: ${{ env.ROLE_ARN_A }}
          aws-region: ${{ env.AWS_DEFAULT_REGION_A }}

      - name: List Buckets 
      run: |
        aws s3api list-buckets

      - name: Switch AWS credentials
        id: aws_aws_credentials
        uses: aws-actions/configure-aws-credentials@v1
        env:
          AWS_DEFAULT_REGION: ${{ null }}
          AWS_REGION: ${{ null }}
          AWS_ACCESS_KEY_ID: ${{ null }}
          AWS_SECRET_ACCESS_KEY: ${{ null }}
          AWS_SESSION_TOKEN: ${{ null }}
        with:
          role-to-assume: ${{ env.ROLE_ARN_B }}
          aws-region: ${{ env.AWS_DEFAULT_REGION_B }}

      - name: List Buckets Again
            run: |
              aws s3api list-buckets

tung-hl on Jan 2, 2023

Error: The security token included in the request is invalid.

The same error happens when GitHub OIDC provider is used with role-to-assume. When two different actions within the same job try to assume different roles, first assume always works while every consequent one fails with invalid token error.

Using different session names and cleaning all AWS_ envs from $GITHUB_ENV does not help.

Is calling configure-aws-credentials multiple times with different roles within the same job supported?

rjeczalik on Apr 5, 2022