-
Notifications
You must be signed in to change notification settings - Fork 474
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assume Role with OIDC with more than 1 hour #354
Comments
This seems like a bug on GitHub's end. A simple repro is something like this: - uses: aws-actions/configure-aws-credentials@v1
with:
region: ***
role-to-assume: arn:aws:iam::***role/***
- run: aws sts get-caller-identity
- run: sleep 61m
- run: aws sts get-caller-identity The second call will fail with You can also observe that trying to refresh credentials results in the exact same credentials being given back, e.g. with AWS.jl: using AWS
config = global_aws_config()
@show config.credentials.expiry
sleep(5)
check_credentials(config.credentials; force_refresh=true)
@show config.credentials.expiry In an EKS K8s pod with IAM roles via service accounts, the expiry will be updated, as it actually gets new credentials from the EKS provider. Running the same code in an Action where the credentials come from the GH provider results in no new credentials, even after they've expired. |
After some further investigation, I think I know the root cause: this action sets credentials as environment variables, and doesn't leave any breadcrumbs for SDKs in future steps to refresh them. When assuming a role via OIDC, it should be saving the WebIdentity token and exporting its path as Barring error handling/setting the value as secret/properly exporting the variable to future steps, actually getting the token is just: export AWS_ROLE_ARN="arn:aws:iam::$AWS_ACCOUNT:role/$AWS_ROLE" # set $AWS_ACCOUNT and $AWS_ROLE yourself
export AWS_WEB_IDENTITY_TOKEN_FILE="$(mktemp)"
curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r .value > "$AWS_WEB_IDENTITY_TOKEN_FILE" |
Ha, just realized that the default session duration for OIDC is 1 hour not 6, it's right in the README. So just make sure your role has a long max session duration and then set edit: oops, just re-read the original issue contents, looks like you've already done that |
I'm not able to reproduce this even when using the simple Thanks for creating #359 @christopher-dG, it may be the source of the issue. Think we can close this and track that issue instead. If anyone has any reason to believe these are separate issues, ping me and I can look into it |
|
Hi,
I am using OIDC provider to assume a role with maximum duration set to 8 hours.
I use role-duration-seconds: 21600 but the credentials expire after 1 hour.
Is it limited to 1 hour?
The text was updated successfully, but these errors were encountered: