Skip to content

Breaking change in v4.3.x #1481

New issue
New issue
Closed
Closed
Breaking change in v4.3.x#1481
Labels
bugSomething isn't workingp1response-requestedWaiting on additional info and feedback. Will move to 'closing-soon' in 5 days.
@meister245

Description

@meister245
meister245
opened on Sep 9, 2025

Describe the bug

Our team uses major version 4 of this github action in our production deployment pipelines. We don't deploy on a fixed schedule, but we started having failures starting from last week.

We isolated the issue and the only thing that changed was this github action. We have managed to mitigate the issue by renaming our environment variables, so they don't match any generic AWS env variable names.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

Given a workflow file with multiple jobs, that access different AWS accounts with different roles and authentication mechanisms.

  • Account A is accessed with OIDC identity provider
  • Account B is accessed with AWS secret access key
  • Environment variables are declared on workflow level.

It is expected that the jobs remain isolated from each other.

Current Behavior

With the latest changes in v4 our jobs were no longer isolated.

  • Given a top level environment variable "ROLE_TO_ASSUME" in the workflow, will get automatically picked up by jobs in the workflow.
  • Even if a job should use AWS secret access key stored in github secrets to access the AWS account, it will instead attempt to use OIDC identity provider.

Looking at the translateEnvVariables function here:

configure-aws-credentials/src/helpers.ts

Line 10 in afdc2a4

export function translateEnvVariables() {

It appears this function extracts all environment variables from the runner environment and forwards them as input to the github action.

But this already existed in v4.2.x and we had no issues using that version. so the most likely suspect is the new output-env-credentials, which has a default "true" value.

c3b3ce6

Reproduction Steps

I provide a simplified workflow of where our problem occured. The workflow failed in the "invalidate-cloufront" job, as that attempted to login via OIDC provider, instead of the AWS secret key.

name: Deploy Production

on:
  workflow_dispatch:

env:
  ROLE_TO_ASSUME: arn:aws:iam::****

jobs:
  deploy-production:
    runs-on: ubuntu-latest

    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ${{ vars.AWS_REGION }}
          role-to-assume: ${{ env.ROLE_TO_ASSUME }}

      - run: |
          echo "Deploying to production..."

  invalidate-cloudfront:
    needs: deploy-production
    runs-on: ubuntu-latest

    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ${{ vars.AWS_REGION }}
          aws-access-key-id: "***"
          aws-secret-access-key: "***"

      - run: |
          echo "Invalidating CloudFront cache..."

Possible Solution

Switch the output-env-credentials option to default false.

Additional Information/Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingp1response-requestedWaiting on additional info and feedback. Will move to 'closing-soon' in 5 days.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions