Could not load credentials from any providers #271
Comments
|
so i think there is an undocumented permissions thing you need to use in your workflow to get it try that |
|
I don't think a new release has been made since Jul 19 while OICD changes where merged two days ago. b8c74de What happens if you change the version to master? |
|
I'm experiencing the exact same error too. |
|
I just got it running by having your setup, using |
|
I'm looking into this now. We used 'sigstore' in an earlier version while we were testing the action. |
|
What happens if you use |
|
I've been able to reproduce this. I'm working with the GitHub team to root cause it. Our plan was to use the audience (1) roll this repo back to the version where the audience was hardcoded with (2) I document in the repo's readme the additional permissions that are needed (3) I add a note to teh readme that this feature is still undergoing changes by GitHub Thoughts? |
|
@richardhboyd ok, I saw your last commit yesterday so I have tried using I think we should implement the (2) EDIT: minor correction in the permissions since I am using semantic-release: |
|
I am not sure this is related to this action, but now I have the following error: This is the shortened content of the script, is the point where it fails: I have tried by specifying the endpoint since I have similar setup on Codepipeline/Codebuild using similar role and there is working. |
|
ecr-public is only available in us-east-1 |
|
oh, I see, thanks. It confused me because I have a repository in the Singapore region. |
|
a codecommit repository? the ecr-public registries are reachable from any region but you have to use the us-east-1 endpoint to retrieve your token to authenticate. |
|
ECR repository.
I see, many thanks for the clarification |
|
I solved the problem by doing the following. I blogged in Japanese. https://dev.classmethod.jp/articles/github-actions-configure-aws-credentials-oidc/ |
|
I tried to use ExternalId and got an error: Can I use ExternalId with OICD provider? |
|
no |
|
You cannot use {
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::000000000:oidc-provider/vstoken.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"vstoken.actions.githubusercontent.com:sub": "repo:MatteoGioioso/saml-proxy:*"
}
}
}
]
}this claim is set by GitHub and cannot be changed by the user, so you can trust it to indicate the source. It's not quite the same as |
|
#271 (comment) worked for me. |
My action.yml file has an error for the id-token. It's configured like this: id-token is underlined with a red line and the message states: Unknown Key |
|
@chris3ware Just checked and the web editor does this to mine as well which works - GitHub just hasn't updated their validation in the editor it looks like. |
I tried it but got: It seems it's looking now for https://token.actions.githubusercontent.com instead of https://vstoken.actions.githubusercontent.com So I created a new OIDC provider in IAM (and updated the trust policies as needed) it worked (together with |
|
When will this feature be released (as it is implemented now on |
Thanks a ton, @dyoshikawa You blog saves my day. |
|
Seems there are more issues with And an IAM provider like: This was working a few days ago. Now it errors with Has something changed in Github Actions itself? EDIT: Fixed with #271 (comment) |
|
@ahawkins change |
|
@bryantbiggs Thank you! <3 That fixed it. Probably a good thing to call out in the docs related to #284 in a migration from v2 to v3. |
|
Hi guys, Still getting this error, my trust relationship: And my github action: And the identity provider audiences is: Getting the error:
EDIT: Never mind - I got it working using |
peterwoodworth
added
needs-triage
This resolved my issue as well. For those that don't find it immediately obvious, add this to the root of your yaml file, not under any jobs or steps. |
|
There seem to have been a number of separate issues discussed here. I'm going to close this so that people who run into this issue in the future create a new issue. Please be sure to check your permissions - they are required when using OIDC |
|
Comments on closed issues are hard for our team to see. |
|
@androidwiltron re: "so i think there is an undocumented permissions thing you need to use in your workflow to get it" it's documented here https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow |
add the missing permission: aws-actions/configure-aws-credentials#271 (comment)
|
One thing that is not obvious that I will leave here for anyone googling to resolve their problem is that job permissions do not individually overwrite workflow permissions, the new permissions block replaces the old permissions block. They are not merged. This means that in this configuration: permissions:
id-token: write
contents: read
jobs:
build:
name: build
permissions:
pull-requests: writeThe Personally I think that this perhaps might be a confusing design choice and that the job permissions should be deep merged into the workflow permissions, but this is how it works at the moment. If your jobs have their own permissions applied, make sure to repeat id-token and contents. |
|
I agree
Merging makes more sense in terms of a reusable block. |
#7 Looks like this permissions object is required. aws-actions/configure-aws-credentials#271 (comment) Also shown in the second code sample here: https://github.com/aws-actions/configure-aws-credentials#usage
|
for me jobs:
tests:
uses: ./.github/workflows/run_tests.yml
in other words, I'm unable to use this action in a workflow that was triggered through to update: finally got it: to use # reusable run_tests.yml
name: Run Tests
on:
workflow_call: # allows calling this workflow from another workflow
secrets:
AWS_ACCESS_KEY_ID: { required: true }
AWS_SECRET_ACCESS_KEY: { required: true }
jobs:
tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
# - ... rest of the steps...# your caller workflow (main workflow)
jobs:
tests:
uses: ./.github/workflows/run_tests.yml
secrets:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
build-and-push:
...took me few hours to figure this out... |
aws-actions/configure-aws-credentials#271 (comment) The previous workflow had ``` permissions: write-all ```
and others
I have already checked related issues #202 #188 , but in my case I am not using Dependabot.
This is my
pipeline.yamltruncated till this action:This is my trust relationship for that role:
This is my OICD provider setup in IAM
And this is the error:
I am not using a self-hosted runner
What am I doing wrong? Maybe the audience?
Thanks
UPDATE:
it seems like this method return false, because you do not validate credentials in the
assumeRolemethod:honestly I cannot find a way to echo this variable
ACTIONS_ID_TOKEN_REQUEST_TOKENUPDATE 2:
ok, this variable
ACTIONS_ID_TOKEN_REQUEST_TOKENis not set, I am not sure why is not there and also I cannot find much information about it.I am willing to submit a PR if needed.
The text was updated successfully, but these errors were encountered: