Error: Not authorized to perform sts:AssumeRoleWithWebIdentity during OIDC when a PR gets merged into main
Image by Rand - hkhazo.biz.id

Error: Not authorized to perform sts:AssumeRoleWithWebIdentity during OIDC when a PR gets merged into main

By Posted on

Welcome to the world of AWS OIDC (OpenID Connect) authentication and Git workflow! You’re likely here because you’ve encountered the frustrating error: “Not authorized to perform sts:AssumeRoleWithWebIdentity” when a pull request (PR) gets merged into the main branch. Fear not, dear reader, for we’re about to embark on a thrilling adventure to conquer this pesky issue!

Table of Contents
  1. What’s happening behind the scenes?
    1. Why does this happen?
  2. Solution 1: Update the OIDC token using GitHub Actions
  3. Solution 2: Use a GitHub Actions OIDC Token-Updating Action
  4. Solution 3: Implement a Custom OIDC Token-Updating Script
  5. Conclusion
  6. FAQs
    1. Q: What is OIDC authentication?
    2. Q: Why do I need to update the OIDC token?
    3. Q: Can I use a different authentication method?

What’s happening behind the scenes?

When you set up OIDC authentication with AWS, it allows your GitHub Actions workflow to assume an IAM role and access your AWS resources. Sounds delightful, right? However, when a PR gets merged into the main branch, the OIDC token doesn’t get automatically updated. This leads to the dreaded “Not authorized” error, making your workflow go haywire.

Why does this happen?

The primary reason is that the OIDC token is generated based on the GitHub Actions workflow environment. When a PR gets merged, the environment changes, and the OIDC token becomes invalid. To fix this, we need to refresh the OIDC token and update the IAM role assumption. But how, you ask?

Solution 1: Update the OIDC token using GitHub Actions

One approach is to update the OIDC token using GitHub Actions. We’ll create a new job that runs after the PR merge, updates the OIDC token, and assumes the IAM role. Sounds simple, right?


name: Update OIDC Token and Assume Role

on:
  push:
    branches:
      - main

jobs:
  update-oidc-token:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Update OIDC Token
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          AWS_REGION: ${{ secrets.AWS_REGION }}
          OIDC_PROVIDER: ${{ secrets.OIDC_PROVIDER }}
          ROLE_ARN: ${{ secrets.ROLE_ARN }}
        run: |
          oidc_token=$(aws sts assume-role-with-web-identity --role-arn $ROLE_ARN --web-identity-token $GITHUB_TOKEN --duration-seconds 3600 --query 'Credentials.AccessKeyId' --output text)
          echo "OIDC_TOKEN=$oidc_token" >> $GITHUB_ENV

      - name: Assume IAM Role
        env:
          OIDC_TOKEN: ${{ env.OIDC_TOKEN }}
        run: |
          aws sts get-caller-identity --output text --query 'Arn'

In this example, we create a new job `update-oidc-token` that runs on the `main` branch. We use the `aws sts assume-role-with-web-identity` command to generate a new OIDC token and store it in the `GITHUB_ENV` environment variable. Then, we use the `aws sts get-caller-identity` command to assume the IAM role.

Solution 2: Use a GitHub Actions OIDC Token-Updating Action

Another approach is to use a pre-built GitHub Actions action that updates the OIDC token for you. One such action is `aws-actions/oidc-token-updater`.


name: Update OIDC Token and Assume Role

on:
  push:
    branches:
      - main

jobs:
  update-oidc-token:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Update OIDC Token
        uses: aws-actions/oidc-token-updater@v1
        with:
          aws-region: ${{ secrets.AWS_REGION }}
          oidc-provider: ${{ secrets.OIDC_PROVIDER }}
          role-arn: ${{ secrets.ROLE_ARN }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

In this example, we use the `aws-actions/oidc-token-updater` action to update the OIDC token. This action takes care of generating a new token and updating the IAM role assumption for you.

Solution 3: Implement a Custom OIDC Token-Updating Script

If you’re feeling adventurous, you can create a custom script to update the OIDC token. This approach requires more effort, but it gives you complete control over the token-updating process.


name: Update OIDC Token and Assume Role

on:
  push:
    branches:
      - main

jobs:
  update-oidc-token:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Update OIDC Token
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          AWS_REGION: ${{ secrets.AWS_REGION }}
          OIDC_PROVIDER: ${{ secrets.OIDC_PROVIDER }}
          ROLE_ARN: ${{ secrets.ROLE_ARN }}
        run: |
          # Custom script to update OIDC token and assume IAM role
          # ...

          oidc_token=$(curl -X POST \
            https://sts.${AWS_REGION}.amazonaws.com/?Action=AssumeRoleWithWebIdentity \
            -H 'Content-Type: application/x-www-form-urlencoded' \
            -d "Action=AssumeRoleWithWebIdentity&RoleArn=${ROLE_ARN}&WebIdentityToken=${GITHUB_TOKEN}&DurationSeconds=3600")
          echo "OIDC_TOKEN=$oidc_token" >> $GITHUB_ENV

      - name: Assume IAM Role
        env:
          OIDC_TOKEN: ${{ env.OIDC_TOKEN }}
        run: |
          aws sts get-caller-identity --output text --query 'Arn'

In this example, we create a custom script that updates the OIDC token using the `curl` command and assumes the IAM role. You can customize this script to fit your specific requirements.

Conclusion

There you have it, folks! Three solutions to conquer the “Not authorized to perform sts:AssumeRoleWithWebIdentity” error when a PR gets merged into the main branch. Choose the approach that best fits your needs, and you’ll be back to deploying your AWS resources in no time.

Remember, OIDC authentication with AWS requires careful setup and maintenance. By understanding how OIDC tokens work and implementing one of these solutions, you’ll be well on your way to a seamless GitHub Actions workflow.

FAQs

Q: What is OIDC authentication?

A: OIDC (OpenID Connect) is an authentication protocol that allows your GitHub Actions workflow to access AWS resources. It provides a secure way to authenticate with AWS using an identity token.

Q: Why do I need to update the OIDC token?

A: The OIDC token is generated based on the GitHub Actions workflow environment. When a PR gets merged, the environment changes, and the OIDC token becomes invalid. Updating the token ensures that your workflow can continue accessing AWS resources.

Q: Can I use a different authentication method?

A: Yes, you can use other authentication methods, such as AWS access keys or IAM roles. However, OIDC authentication provides a more secure and scalable way to access AWS resources.

Solution Pros Cons
Update OIDC token using GitHub Actions Easy to implement, flexible Requires custom scripting, may require maintenance
Use a GitHub Actions OIDC token-updating action Easy to implement, less maintenance Limited customization options, dependencies on third-party actions
Implement a custom OIDC token-updating script Highly customizable, flexible Requires advanced scripting knowledge, more maintenance

We hope this article has helped you resolve the “Not authorized to perform sts:AssumeRoleWithWebIdentity” error and improve your GitHub Actions workflow. Happy deploying!

Frequently Asked Question

Are you tired of encountering the frustrating “Error: Not authorized to perform sts:AssumeRoleWithWebIdentity” when a PR gets merged into main during OIDC? Worry not, dear dev, for we’ve got the solutions to your problems!

What is the main reason behind this error?

The main reason behind this error is that the OIDC provider (such as GitHub or GitLab) does not have the necessary permissions to assume the IAM role. This is often due to incorrect configuration or missing permissions in the OIDC provider.

How do I troubleshoot this error?

To troubleshoot this error, check the OIDC provider configuration to ensure that the necessary permissions are granted. Verify that the IAM role is correctly configured and that the OIDC provider has the necessary trust relationship with the IAM role. You can also check the AWS CloudTrail logs to see if there are any errors or issues with the assume role request.

What are the necessary permissions required for OIDC providers?

The OIDC provider requires the “sts:AssumeRoleWithWebIdentity” permission to assume the IAM role. Additionally, the OIDC provider may also require other permissions such as “sts:GetFederationToken” and “sts:GetSessionToken”. It’s essential to check the AWS documentation for the specific permissions required for your use case.

How do I configure the OIDC provider for AWS?

To configure the OIDC provider for AWS, you need to create an OIDC provider in AWS IAM and configure the provider with the necessary details such as the issuer URL, client ID, and client secret. You will also need to create a trust relationship between the OIDC provider and the IAM role. AWS provides detailed documentation on how to configure OIDC providers for different providers such as GitHub and GitLab.

Are there any best practices to avoid this error?

Yes, there are several best practices to avoid this error. Firstly, ensure that the OIDC provider is correctly configured and has the necessary permissions. Secondly, use a least privilege approach when configuring the IAM role and OIDC provider. Finally, regularly review and test your OIDC provider configuration to ensure it’s working as expected.

Related posts: