-
Notifications
You must be signed in to change notification settings - Fork 474
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Credentials obtained through OIDC cannot be refreshed #359
Comments
@christopher-dG Do you know of a way to reproduce a scenario where I would need to refresh my credentials before my role times out? I'd like to get this fixed up but need to reproduce the scenario first |
Start with this action, then |
Oh sorry misunderstood your question. Basically any time that you're running a workflow that takes more than an hour, such as a really long s3 upload or something. |
Thanks @christopher-dG, I'm still unable to reproduce this issue by sleeping (I tried sleeping for four hours, and currently have an action that's sleeping for 7 and a half hours). However, I don't really need to reproduce this to verify that storing the token in a local file is something we can support. It would be great if a community member could submit a PR for this, we might not be able to address this issue on our own soon! |
I'd assumed that the temporary credentials provided by |
@skeggse How you are able to increase the expiration time ?Thanks |
I would love to see Christopher's approach in this action. How about an input: set-web-identity-token-file: true to opt in to this behaviour? |
Giving this more thought this needs more care to be implemented the id token that Github Actions returns is only valid for 300 seconds. Way shorter than the duration of your average IAM Role. So refreshing using |
This action gets credentials by requesting a web identity token and using it directly to generate temporary credentials, and exports those temporary credentials as environment variables. The web identity token itself is not persisted in any way. This means that there's no way for an AWS SDK to refresh the credentials if they expire.
The action should at least be saving the token to a file and exporting its path as
AWS_WEB_IDENTITY_TOKEN_FILE
, that way if the temporary credentials expire, then new ones can be obtained by an AWS SDK (I'm not sure if they'll properly handle throwing away the expired credentials, i.e. a subprocess can't shred environment variables that its parent process has, but maybe something like the CLI would still generate new credentials and just not export them).Ideally we wouldn't obtain any temporary credentials so that the SDKs can handle it all themselves, but that might be an overly breaking change.
I wrote a little workaround action here that I'll be using in case I actually do need indefinitely refreshing credentials.
The text was updated successfully, but these errors were encountered: