Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity #1446
Description
Describe the bug
Hello 😄,
I have been trying to configure the configure-aws-credentials (v4.3.1) GitHub Action for the past few days and I keep getting the error as the authentication does not go through.
I suspect that there can be 2 problematic parts:
- OIDC provider created in terraform does not seem to be correctly configured or is to restrictive
- Multiple roles created that the OIDC can assume are wrongly configured in terraform
Here is the relevant terraform code:
variable "aws_profile" {
description = "AWS CLI profile"
type = string
default = "terraform"
}
variable "aws_region" {
description = "AWS region"
type = string
default = "eu-central-1"
}
variable "workload_identity_providers_config" {
description = "OIDC GitHub configurations"
type = map(object({
name = string
actor_claim = string
repository_claim = string
ref_claim = string
allowed_ec2_instance_types = list(string)
workflow_ref_claims = list(string)
}))
default = {
packer-prod-gh = {
name = "packer-prod-gh"
actor_claim = "Timotej979"
repository_claim = "Timotej979/Homelab-infrastructure-talos"
ref_claim = "refs/heads/main"
allowed_ec2_instance_types = ["t4g.medium"]
workflow_ref_claims = [
"Timotej979/Homelab-infrastructure-talos/.github/workflows/build_aws.yml@refs/heads/main"
]
}
packer-stage-gh = {
name = "packer-stage-gh"
actor_claim = "Timotej979"
repository_claim = "Timotej979/Homelab-infrastructure-talos"
ref_claim = "refs/heads/stage"
allowed_ec2_instance_types = ["t4g.medium"]
workflow_ref_claims = [
"Timotej979/Homelab-infrastructure-talos/.github/workflows/build_aws.yml@refs/heads/stage"
]
}
packer-dev-gh = {
name = "packer-dev-gh"
actor_claim = "Timotej979"
repository_claim = "Timotej979/Homelab-infrastructure-talos"
ref_claim = "refs/heads/dev"
allowed_ec2_instance_types = ["t4g.medium"]
workflow_ref_claims = [
"Timotej979/Homelab-infrastructure-talos/.github/workflows/build_aws.yml@refs/heads/dev"
]
}
}
}
# -------------------------------------------------
# Fetch GitHub OIDC Thumbprint dynamically via OpenSSL
# -------------------------------------------------
data "external" "github_oidc_thumbprint" {
program = ["bash", "-c", <<EOT
thumbprint=$(openssl s_client -servername token.actions.githubusercontent.com -connect token.actions.githubusercontent.com:443 </dev/null 2>/dev/null \
| openssl x509 -fingerprint -noout -sha1 \
| cut -d '=' -f 2 \
| tr -d ':' \
| tr '[:upper:]' '[:lower:]')
jq -n --arg thumbprint "$thumbprint" '{"thumbprint":$thumbprint}'
EOT
]
}
# -------------------------------------------------
# OIDC provider for GitHub Actions
# -------------------------------------------------
resource "aws_iam_openid_connect_provider" "github" {
url = "https://token.actions.githubusercontent.com"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = data.external.github_oidc_thumbprint.result["thumbprint"] != "" ? [data.external.github_oidc_thumbprint.result["thumbprint"]] : []
}
# -------------------------------------------------
# Trust policy for GitHub OIDC roles
# -------------------------------------------------
data "aws_iam_policy_document" "github_oidc" {
for_each = var.workload_identity_providers_config
statement {
effect = "Allow"
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.github.arn]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:actor"
values = [each.value.actor_claim]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:repository"
values = [each.value.repository_claim]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:ref"
values = [each.value.ref_claim]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:workflow_ref"
values = each.value.workflow_ref_claims
}
condition {
test = "StringLike"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:${each.value.repository_claim}*"]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:aud"
values = ["sts.amazonaws.com"]
}
}
}
# -------------------------------------------------
# Minimal Packer Talos policy for Packer Talos
# -------------------------------------------------
data "aws_caller_identity" "current" {}
data "aws_iam_policy_document" "packer_talos" {
for_each = var.workload_identity_providers_config
#########################
# Describe Instances
#########################
statement {
effect = "Allow"
actions = [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus"
]
resources = [
"arn:aws:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:instance/*"
]
}
#########################
# Describe AMIs
#########################
statement {
effect = "Allow"
actions = [
"ec2:DescribeImages",
"ec2:DescribeImageAttribute"
]
resources = [
"arn:aws:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:image/*"
]
}
#########################
# Describe Snapshots
#########################
statement {
effect = "Allow"
actions = [
"ec2:DescribeSnapshots",
"ec2:DescribeSnapshotAttribute"
]
resources = [
"arn:aws:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:snapshot/*"
]
}
#########################
# Describe VPCs/Subnets/SGs/KeyPairs
#########################
statement {
effect = "Allow"
actions = [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeKeyPairs"
]
resources = [
"arn:aws:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:key-pair/*",
"arn:aws:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:security-group/*",
"arn:aws:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:subnet/*",
"arn:aws:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:vpc/*"
]
}
#########################
# EC2 instance operations
#########################
statement {
effect = "Allow"
actions = [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
]
resources = [
"arn:aws:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:instance/*"
]
condition {
test = "StringEquals"
variable = "aws:RequestedRegion"
values = [var.aws_region]
}
condition {
test = "StringEquals"
variable = "ec2:InstanceType"
values = each.value.allowed_ec2_instance_types
}
}
#########################
# Security group operations
#########################
statement {
effect = "Allow"
actions = [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
]
resources = [
"arn:aws:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:security-group/*"
]
condition {
test = "StringEquals"
variable = "aws:RequestedRegion"
values = [var.aws_region]
}
}
#########################
# AMI operations
#########################
statement {
effect = "Allow"
actions = [
"ec2:CreateImage",
"ec2:RegisterImage",
"ec2:DeregisterImage",
"ec2:ModifyImageAttribute",
"ec2:CreateTags",
"ec2:DeleteTags"
]
resources = [
"arn:aws:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:image/*"
]
condition {
test = "StringLike"
variable = "ec2:ImageName"
values = ["talos-system-disk-*"]
}
condition {
test = "StringEquals"
variable = "aws:RequestedRegion"
values = [var.aws_region]
}
}
#########################
# Snapshot operations
#########################
statement {
effect = "Allow"
actions = [
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:ModifySnapshotAttribute",
"ec2:CreateTags",
"ec2:DeleteTags"
]
resources = [
"arn:aws:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:snapshot/*"
]
condition {
test = "StringEquals"
variable = "aws:RequestedRegion"
values = [var.aws_region]
}
}
}
# -------------------------------------------------
# IAM roles for GitHub OIDC (trust policy + packer policy)
# -------------------------------------------------
resource "aws_iam_role" "github_oidc_roles" {
for_each = var.workload_identity_providers_config
name = "${each.key}-role"
description = "IAM role for GitHub Actions workflow ${each.key}"
assume_role_policy = data.aws_iam_policy_document.github_oidc[each.key].json
}
# Attach the Packer Talos policy to each OIDC role
resource "aws_iam_role_policy" "packer_talos_policy" {
for_each = var.workload_identity_providers_config
role = aws_iam_role.github_oidc_roles[each.key].id
policy = data.aws_iam_policy_document.packer_talos[each.key].json
}and here is the GitHub Action I am trying/testing out (Same code for 3 different environments dev/stage/prod):
name: Build AWS Image
permissions:
contents: 'read'
id-token: 'write'
on:
workflow_call:
workflow_dispatch:
env:
HCP_CLI_VERSION: "0.8.0"
PACKER_VERSION: "1.12.0"
jobs:
dev:
name: Build Development AWS Image
environment: Development
runs-on: ubuntu-24.04
if: github.ref_name == 'dev'
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Configure HCP Credentials
uses: hashicorp/hcp-auth-action@v0.1.0
with:
workload_identity_provider: ${{ secrets.HCP_WIP_AWS_AZURE_GCP }}
set_access_token: false
export_environment_variables: true
- name: Install HCP CLI
uses: hashicorp/hcp-setup-action@v0.1.0
with:
version: ${{ env.HCP_CLI_VERSION }}
- name: Install Packer
uses: hashicorp/setup-packer@main
with:
version: ${{ env.PACKER_VERSION }}
- name: Debug OIDC Claims
uses: github/actions-oidc-debugger@main
with:
audience: 'sts.amazonaws.com'
- name: Configure AWS Credentials
id: aws-configure-credentials
uses: aws-actions/configure-aws-credentials@v4.3.1
with:
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
- name: Build Development Image
working-directory: ./packer/aws/templates
run: |
GREEN='\033[38;5;82m'
ORANGE='\033[38;5;208m'
RED='\033[38;5;196m'
RESET='\033[0m'
log_success() { printf "${GREEN}[SUCCESS] %s${RESET}\n\n" "$1"; }
log_warning() { printf "${ORANGE}[WARNING] %s${RESET}\n" "$1"; }
log_error() { printf "${RED}[ERROR] %s${RESET}\n" "$1"; }
log_info() { printf "[INFO] %s\n" "$1"; }
log_info "Configuring AWS credentials..."
export AWS_ACCESS_KEY_ID="${{ steps.aws-configure-credentials.outputs.aws-access-key-id }}"
export AWS_SECRET_ACCESS_KEY="${{ steps.aws-configure-credentials.outputs.aws-secret-access-key }}"
export AWS_SESSION_TOKEN="${{ steps.aws-configure-credentials.outputs.aws-session-token }}"
log_success "AWS credentials configured successfully."
log_info "Initializing Packer build..."
packer init ./aws.pkr.hcl
log_success "Packer build initialized successfully."
log_info "Starting Packer build..."
packer build ./aws.pkr.hcl
log_success "AWS image built successfully."
staging:
name: Build Staging AWS Image
environment: Staging
runs-on: ubuntu-24.04
if: github.ref_name == 'stage'
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Configure HCP Credentials
uses: hashicorp/hcp-auth-action@v0.1.0
with:
workload_identity_provider: ${{ secrets.HCP_WIP_AWS_AZURE_GCP }}
- name: Install HCP CLI
uses: hashicorp/hcp-setup-action@v0.1.0
with:
version: ${{ env.HCP_CLI_VERSION }}
- name: Install Packer
uses: hashicorp/setup-packer@main
with:
version: ${{ env.PACKER_VERSION }}
- name: Debug OIDC Claims
uses: github/actions-oidc-debugger@main
with:
audience: 'sts.amazonaws.com'
- name: Configure AWS Credentials
id: aws-configure-credentials
uses: aws-actions/configure-aws-credentials@v4.3.1
env:
ACTIONS_STEP_DEBUG: true
with:
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
- name: Build Staging Image
working-directory: ./packer/aws/templates
run: |
GREEN='\033[38;5;82m'
ORANGE='\033[38;5;208m'
RED='\033[38;5;196m'
RESET='\033[0m'
log_success() { printf "${GREEN}[SUCCESS] %s${RESET}\n\n" "$1"; }
log_warning() { printf "${ORANGE}[WARNING] %s${RESET}\n" "$1"; }
log_error() { printf "${RED}[ERROR] %s${RESET}\n" "$1"; }
log_info() { printf "[INFO] %s\n" "$1"; }
log_info "Configuring AWS credentials..."
export AWS_ACCESS_KEY_ID="${{ steps.aws-configure-credentials.outputs.aws-access-key-id }}"
export AWS_SECRET_ACCESS_KEY="${{ steps.aws-configure-credentials.outputs.aws-secret-access-key }}"
export AWS_SESSION_TOKEN="${{ steps.aws-configure-credentials.outputs.aws-session-token }}"
log_success "AWS credentials configured successfully."
log_info "Initializing Packer build..."
packer init ./aws.pkr.hcl
log_success "Packer build initialized successfully."
log_info "Starting Packer build..."
packer build ./aws.pkr.hcl
log_success "AWS image built successfully."
prod:
name: Build Production AWS Image
environment: Production
runs-on: ubuntu-24.04
if: github.ref_name == 'main'
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Configure HCP Credentials
uses: hashicorp/hcp-auth-action@v0.1.0
with:
workload_identity_provider: ${{ secrets.HCP_WIP_AWS_AZURE_GCP }}
- name: Install HCP CLI
uses: hashicorp/hcp-setup-action@v0.1.0
with:
version: ${{ env.HCP_CLI_VERSION }}
- name: Install Packer
uses: hashicorp/setup-packer@main
with:
version: ${{ env.PACKER_VERSION }}
- name: Debug OIDC Claims
uses: github/actions-oidc-debugger@main
with:
audience: 'sts.amazonaws.com'
- name: Configure AWS Credentials
id: aws-configure-credentials
uses: aws-actions/configure-aws-credentials@v4.3.1
with:
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
- name: Build Production Image
working-directory: ./packer/aws/templates
run: |
GREEN='\033[38;5;82m'
ORANGE='\033[38;5;208m'
RED='\033[38;5;196m'
RESET='\033[0m'
log_success() { printf "${GREEN}[SUCCESS] %s${RESET}\n\n" "$1"; }
log_warning() { printf "${ORANGE}[WARNING] %s${RESET}\n" "$1"; }
log_error() { printf "${RED}[ERROR] %s${RESET}\n" "$1"; }
log_info() { printf "[INFO] %s\n" "$1"; }
log_info "Configuring AWS credentials..."
export AWS_ACCESS_KEY_ID="${{ steps.aws-configure-credentials.outputs.aws-access-key-id }}"
export AWS_SECRET_ACCESS_KEY="${{ steps.aws-configure-credentials.outputs.aws-secret-access-key }}"
export AWS_SESSION_TOKEN="${{ steps.aws-configure-credentials.outputs.aws-session-token }}"
log_success "AWS credentials configured successfully."
log_info "Initializing Packer build..."
packer init ./aws.pkr.hcl
log_success "Packer build initialized successfully."
log_info "Starting Packer build..."
packer build ./aws.pkr.hcl
log_success "AWS image built successfully."When I run the GitHub Action I get the following error log (Including the OIDC debug claim properties):
Run github/actions-oidc-debugger@main
/usr/bin/docker run --name c883daff81a0aa65944222953882fa5347b7ed_506e82 --label c883da --workdir /github/workspace --rm -e "HCP_CLI_VERSION" -e "PACKER_VERSION" -e "GHA_HCP_CRED_FILE" -e "HCP_CRED_FILE" -e "INPUT_AUDIENCE" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_ID_TOKEN_REQUEST_URL" -e "ACTIONS_ID_TOKEN_REQUEST_TOKEN" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/Homelab-infrastructure-talos/Homelab-infrastructure-talos":"/github/workspace" c883da:ff81a0aa65944222953882fa5347b7ed "sts.amazonaws.com"
{
"actor": "Timotej979",
"actor_id": "16840528",
"aud": "sts.amazonaws.com",
"base_ref": "",
"environment": "Staging",
"environment_node_id": "EN_kwDONpwADM8AAAABRziFfQ",
"event_name": "workflow_dispatch",
"exp": 1755712456,
"head_ref": "",
"iat": 1755690856,
"iss": "https://token.actions.githubusercontent.com/",
"job_workflow_ref": "Timotej979/Homelab-infrastructure-talos/.github/workflows/build_aws.yml@refs/heads/stage",
"job_workflow_sha": "e90920a13ba8208cdb825f4d59a56bd4befbad77",
"jti": "b8158178-6ed4-48a0-b469-49a8b4d31520",
"nbf": 1755690556,
"ref": "refs/heads/stage",
"ref_protected": "false",
"ref_type": "branch",
"repository": "Timotej979/Homelab-infrastructure-talos",
"repository_id": "916193292",
"repository_owner": "Timotej979",
"repository_owner_id": "16840528",
"repository_visibility": "public",
"run_attempt": "1",
"run_id": "17097581147",
"run_number": "11",
"runner_environment": "github-hosted",
"sha": "e90920a13ba8208cdb825f4d59a56bd4befbad77",
"sub": "repo:Timotej979/Homelab-infrastructure-talos:environment:Staging",
"workflow": "Build AWS Image",
"workflow_ref": "Timotej979/Homelab-infrastructure-talos/.github/workflows/build_aws.yml@refs/heads/stage",
"workflow_sha": "e90920a13ba8208cdb825f4d59a56bd4befbad77"
}
2m 43s
Run aws-actions/configure-aws-credentials@v4.3.1
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentityTo view the whole project/relevant files that I am using and to try to recreate the issue you can check the following repo: https://github.com/Timotej979/Homelab-infrastructure-talos
With specificaly the folders regarding to AWS and GitHub Action:
- ./terraform/aws (AWS OIDC provider configuration)
- ./github/workflows/build_aws.yml (GitHub Action for authenticating to the AWS Cloud environment)
I`m relativley new to OIDC so help wold be much appreciated 😅 and I did manage to set up the HCP OIDC provider recently with some hedaches, because of the go-bexpr syntax and 511 character limit, however in this case I'm currently stumped as to what to debug next to make it work 😄.
Kind regards
Timotej979
Regression Issue
- Select this option if this issue appears to be a regression.
Expected Behavior
GitHub Action to authenticate to the AWS CloudEnvironment and fail on the next step in the pipeline.
Current Behavior
GitHub action not authenticating to the AWS Cloud environment with the following configuration logs
Run github/actions-oidc-debugger@main
/usr/bin/docker run --name c883daff81a0aa65944222953882fa5347b7ed_506e82 --label c883da --workdir /github/workspace --rm -e "HCP_CLI_VERSION" -e "PACKER_VERSION" -e "GHA_HCP_CRED_FILE" -e "HCP_CRED_FILE" -e "INPUT_AUDIENCE" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_ID_TOKEN_REQUEST_URL" -e "ACTIONS_ID_TOKEN_REQUEST_TOKEN" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/Homelab-infrastructure-talos/Homelab-infrastructure-talos":"/github/workspace" c883da:ff81a0aa65944222953882fa5347b7ed "sts.amazonaws.com"
{
"actor": "Timotej979",
"actor_id": "16840528",
"aud": "sts.amazonaws.com",
"base_ref": "",
"environment": "Staging",
"environment_node_id": "EN_kwDONpwADM8AAAABRziFfQ",
"event_name": "workflow_dispatch",
"exp": 1755712456,
"head_ref": "",
"iat": 1755690856,
"iss": "https://token.actions.githubusercontent.com/",
"job_workflow_ref": "Timotej979/Homelab-infrastructure-talos/.github/workflows/build_aws.yml@refs/heads/stage",
"job_workflow_sha": "e90920a13ba8208cdb825f4d59a56bd4befbad77",
"jti": "b8158178-6ed4-48a0-b469-49a8b4d31520",
"nbf": 1755690556,
"ref": "refs/heads/stage",
"ref_protected": "false",
"ref_type": "branch",
"repository": "Timotej979/Homelab-infrastructure-talos",
"repository_id": "916193292",
"repository_owner": "Timotej979",
"repository_owner_id": "16840528",
"repository_visibility": "public",
"run_attempt": "1",
"run_id": "17097581147",
"run_number": "11",
"runner_environment": "github-hosted",
"sha": "e90920a13ba8208cdb825f4d59a56bd4befbad77",
"sub": "repo:Timotej979/Homelab-infrastructure-talos:environment:Staging",
"workflow": "Build AWS Image",
"workflow_ref": "Timotej979/Homelab-infrastructure-talos/.github/workflows/build_aws.yml@refs/heads/stage",
"workflow_sha": "e90920a13ba8208cdb825f4d59a56bd4befbad77"
}
2m 43s
Run aws-actions/configure-aws-credentials@v4.3.1
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentityReproduction Steps
You can clone the current repository from: https://github.com/Timotej979/Homelab-infrastructure-talos and simplify the conditions for successful authentication on the OIDC provider.
Relevant files are available in the following folder from the root repo:
- ./terraform/aws (AWS OIDC provider configuration)
- ./github/workflows/build_aws.yml (GitHub Action for authenticating to the AWS Cloud environment)
Possible Solution
I suspect that there can be 2 problematic parts/reasons for the failure of the authentication:
- OIDC provider created in terraform does not seem to be correctly configured or is to restrictive
- Multiple roles created that the OIDC can assume are wrongly configured in terraform
As I read through other issues similar to this one a possible solution would be to downgrade the Action version if needed 🤔
Additional Information/Context
No response