Cannot assume the 2nd role using IAM credentials issued by the 1st invocation

[Constantin07]

Describe the bug

I'm trying to assume a deployment role in AWS account B using credentials in account A (GH OIDC integration) but it still tries to use GitHub OIDC WebIdentity for the second role instead of using already exposed credentials in environment variables.

[GithubAction] ---------------> [tooling_role A (limitted access)] ------------> [deployment_role B]
               assume role with                                   assume role with
            configure-aws-credentials                         configure-aws-credentials
                AWS account A                                       AWS account B

Expected Behavior

Being able successfully assume the 2nd (non OIDC) IAM role from account B.

Current Behavior

Fails with error:

Run aws-actions/configure-aws-credentials@v1
Error: Not authorized to perform sts:AssumeRoleWithWebIdentity

Reproduction Steps

  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v1-node16
    with:
      aws-region: ${{ env.region }}
      role-to-assume: arn:aws:iam::<accounnt_A>:role/GithubOIDCRole
      role-session-name: GithubOIDCRole
      role-duration-seconds: 3600

  - name: Configure AWS credentials (assume Deployment role)
    uses: aws-actions/configure-aws-credentials@v1-node16
    with:
      aws-region: ${{ env.region }}
      role-to-assume: arn:aws:iam::<accounnt_B>:role/Deployment
      role-session-name: Deployment
      role-duration-seconds: 3600

Possible Solution

I would suggest to add a parameter to force configure-aws-credentials to re-use existing AWS credentials generated by the previous invocation (account A) instead of of trying again OIDC provider for account B.

Additional Information/Context

No response

[daniel-ciaglia]

@Constantin07 , you can perfectly do this by using the below snippet:

      - name: Configure AWS Credentials - Step 2
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ env.ASSUME_ROLE_2 }}
          role-session-name: github-actions-step-2
          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
          aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
          role-skip-session-tagging: false

There's a PR open (#621) which makes this a bit easier as well.

[Constantin07]

Much appreciated @daniel-ciaglia. I will try it out and get back.

[Constantin07]

Many Thanks @daniel-ciaglia. It worked but I had to change the role-skip-session-tagging: true.
This ticket can be closed now.

[github-actions]

⚠️Comment Visibility Warning⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.