No OpenIDConnect provider found in your account #280
Comments
This commit updates the example "IAM Role CloudFormation Template" with the new github oidc token url. See issue aws-actions#280 for further explanation: aws-actions#280
|
I'm experiencing the same issue. Had to change the url to https://token.actions.githubusercontent.com but unlike you, my authentication step is failing... |
|
@Nirrleybo did you also change the Making that change in my role template and updating that stack fixed the issue for me. |
|
@mitch-keenan yes sir I did. still no go... My job config: jobs:
plan:
runs-on: ubuntu-latest
name: terraform plan
permissions:
id-token: write
contents: read
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Build Role Session Name
id: role-session-name
uses: ./.github/actions/build-role-session-name
- name: Configure AWS read-only credentials
uses: aws-actions/[email protected]
with:
aws-region: eu-west-1
role-to-assume: arn:aws:iam::XXXXXXXXXXXX:role/plan-role
role-duration-seconds: 1800
role-session-name: ${{ steps.role-session-name.outputs.ROLE_SESSION_NAME }}
...Terraform config: # READ Policy
# ------------------------------
data "aws_iam_policy_document" "gha_assume_role_policy_document_read" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.githubOidc.arn]
}
condition {
test = "StringLike"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:${var.org}/${var.repo_name}:*"]
}
}
}
resource "aws_iam_role" "gha_role_plan" {
name = "gha_role_plan"
managed_policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
assume_role_policy = data.aws_iam_policy_document.gha_assume_role_policy_document_read.json
}BTW, this is working: - name: Configure AWS
run: |
export AWS_ROLE_ARN=arn:aws:iam::XXXXXXXXXXXX:role/plan-role
export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/awscreds
export AWS_DEFAULT_REGION=eu-west-1
echo AWS_WEB_IDENTITY_TOKEN_FILE=$AWS_WEB_IDENTITY_TOKEN_FILE >> $GITHUB_ENV
echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
echo AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION >> $GITHUB_ENV
curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
- run: aws sts get-caller-identityAny thoughts? |
|
@Nirrleybo I think you're running into this unrresolved issue To fix that add these lines at the top level of your job config file: permissions:
id-token: write
contents: readand change your action version to |
|
Thanks @mitch-keenan for this - I've tried it and now I'm getting: After changing the OIDC url, did you had to change the thumbprint number as well? # GitHub Federated Client
# ------------------------------
resource "aws_iam_openid_connect_provider" "githubOidc" {
url = "https://token.actions.githubusercontent.com"
client_id_list = [
"https://github.com/${var.org}/${var.repo_name}"
]
thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
tags = {
"Name" = "GitHub"
}
} |
|
I'm looking into this now. GH is still actively developing this feature so there are breaking changes that are happening until they officially GA the capability. |
|
@Nirrleybo I think the audience is |
|
The issuer returned by a I think it's likely GH changed the host described in the original roadmap issue and forgot to update it. As @richardhboyd mentioned, it's still in beta so some breaking changes are to be expected. In the meantime, however, I'd suggest updating the documentation of this repo (e.g. the README and example CloudFormation template). Google already updated theirs. |
|
People are generally using 'sigstore' for the default audience, rather than the repo name (as originally described in the roadmap document) and instead using the subject for the repository (because then you can do finer-level controls on a per-role basis instead of the OICD). It's possible to use a different audience than sigstore if you pass it in the URL; at the moment, it's hard-coded to 'sigstore' here: configure-aws-credentials/index.js Line 196 in 9aaa1da It would be good if that were a parameter you could pass to the job which defaults to sigstore, because then it permits an account's OICD parameter to use something other than the default. |
|
@richardhboyd would you mind taking a look at #285 to allow the audience to be explicitly specified? I've tested this out on my AWS provider and it works as expected. You could then use this to encourage moving to an audience of sts.amazonaws.com and to set the provider up to use that instead -- the problem is, that if you have people who've already set up their OIDC providers to only expect 'sigstore' then changing the default in the code is going to break existing users (which is why #274). However with #285 you can leave the unspecified default as |
|
I have a PR submitted to update the default audience to sts.amazonaws.com. Once that's landed we can rebase this PR for allowing customers to modify the audience. |
|
Would it be worth doing it the other way around, and rebasing your change on top of this one? Then instead of changing the default (which will break existing clients) you could simply default it to 'sigstore' and then encourage (in documentation, getting started guides etc.) to explicitly put "audience: sts.amazonaws.com" instead? The problem is you'll get people who've been using this work-in-progress who've set up a single OpenID connect provider assuming 'sigstore', and if you change the default without any way of modifying it -- and they're using master -- then they'll immediately start failing. I've updated the answer at https://stackoverflow.com/questions/69243571/how-can-i-connect-github-actions-with-aws-deployments-without-using-a-secret-key/69243572#69243572 to show how to define an OpenID Connect provider which will accept both 'sigstore' and 'sts.amazonaws.com', along with a role that will trust either of them as well. Happy to submit a doc PR if you'd like me to expand the examples here? |
|
We don't want the default to be sigstore because it poses a risk of causing a confused deputy problem. This change hasn't been officially released yet (in the v1 tag) so the only people who have taken a dependency on it are people who have explicitly set their action to either |
changing audience to |
This is an update to the construct that creates IAM resources for GitHub Actions, first introduced with #823 in early October 2021. Apparently the `ClientIdList` field should no longer be `sigstore`, as of 19th October 2021: aws-actions/configure-aws-credentials#291 aws-actions/configure-aws-credentials#280 (comment) aws-actions/configure-aws-credentials#284 The new value is `sts.amazonaws.com`, which I think corresponds to this line in the docs: > For the "Audience": Use sts.amazonaws.com if you are using the official action. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws With the old value of `sigstore` in the `AWS::IAM::OIDCProvider` `ClientIdList` field, running the `aws-actions/configure-aws-credentials` GitHub Action will give you a "Error: Incorrect token audience" error: https://github.com/guardian/facia-scala-client/runs/7025740057?check_suite_focus=true#step:3:6
This is an update to the construct that creates IAM resources for GitHub Actions, first introduced with #823 in early October 2021. Apparently the `ClientIdList` field should no longer be `sigstore`, as of 19th October 2021: aws-actions/configure-aws-credentials#291 aws-actions/configure-aws-credentials#280 (comment) aws-actions/configure-aws-credentials#284 The new value is `sts.amazonaws.com`, which I think corresponds to this line in the docs: > For the "Audience": Use sts.amazonaws.com if you are using the official action. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws With the old value of `sigstore` in the `AWS::IAM::OIDCProvider` `ClientIdList` field, running the `aws-actions/configure-aws-credentials` GitHub Action will give you a "Error: Incorrect token audience" error: https://github.com/guardian/facia-scala-client/runs/7025740057?check_suite_focus=true#step:3:6
This is an update to the construct that creates IAM resources for GitHub Actions, first introduced with #823 in early October 2021. Apparently the `ClientIdList` field should no longer be `sigstore`, as of 19th October 2021: aws-actions/configure-aws-credentials#291 aws-actions/configure-aws-credentials#280 (comment) aws-actions/configure-aws-credentials#284 The new value is `sts.amazonaws.com`, which I think corresponds to this line in the docs: > For the "Audience": Use sts.amazonaws.com if you are using the official action. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws With the old value of `sigstore` in the `AWS::IAM::OIDCProvider` `ClientIdList` field, running the `aws-actions/configure-aws-credentials` GitHub Action will give you a "Error: Incorrect token audience" error: https://github.com/guardian/facia-scala-client/runs/7025740057?check_suite_focus=true#step:3:6
|
This issue seems it was from before the feature became available. Closing out, ping if you feel this was in error. |
|
|
@richardhboyd @mitch-keenan , I am using AWS Private cloud/VNET for OIDC. For me I tried all ways and trust json etc looks all good but still getting the same error, any other clue for me? Tried with v2 also but same error. Added in workflow this part also: aws-actions/configure-aws-credentials@v1 Do we have any other alternative GitHub action to try for AWS using OIDC ? |
Had an problem crop up this morning trying to run an action using OIDC auth as described here and wanted to raise an issue in case anyone runs into the same thing:
Action fails with following error:
I was able to change my IAM OIDC/role definition to change
vstoken.totoken.and then it authenticated successfully, but I can't seem to find a mention of this change anywhere from Github themselves.See PR281 for my changes to update the example iam role template
The text was updated successfully, but these errors were encountered: