Configuring AWS credentials not authorized to perform sts:AssumeRoleWithWebIdentity

by

Summary

The GitHub Actions workflow failed to assume an AWS IAM role due to missing trust relationship alignment between the role’s trust policy and the GitHub OIDC provider. Despite the role having sts:AssumeRoleWithWebIdentity permission, the audience and subject conditions in the trust policy did not match the GitHub Actions OIDC token claims.

Root Cause

  • Mismatched Audience: The audience in the GitHub Actions configuration (sts.amazonaws.com:oidc:GitHub:MyOrganisationName/my-org-repository) did not align with the token.actions.githubusercontent.com:aud condition in the trust policy.
  • Incorrect Subject Condition: The token.actions.githubusercontent.com:sub condition in the trust policy was too restrictive (repo:MyOrganisationName/my-org-repository:ref:refs/heads/main), limiting it to the main branch only.

Why This Happens in Real Systems

  • OIDC Token Validation: AWS verifies the OIDC token’s claims against the trust policy conditions. If claims do not match, AWS denies the AssumeRoleWithWebIdentity request.
  • Configuration Drift: Manual or automated changes to the trust policy or GitHub Actions configuration can introduce mismatches without immediate detection.

Real-World Impact

  • Deployment Failures: Continuous deployment pipelines halt, delaying releases and affecting service availability.
  • Security Risks: Overly permissive trust policies can expose roles to unauthorized access, while overly restrictive policies block legitimate workflows.

Example or Code (if necessary and relevant)

# Corrected Trust Policy
Trust:
  Version: "2012-10-17"
  Statement:
    - Effect: Allow
      Action: sts:AssumeRoleWithWebIdentity
      Principal:
        Federated: arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com
      Condition:
        StringEquals:
          token.actions.githubusercontent.com:aud: sts.amazonaws.com
        StringLike:
          token.actions.githubusercontent.com:sub: repo:MyOrganisationName/my-org-repository:*

How Senior Engineers Fix It

  • Validate Audience: Ensure the audience in GitHub Actions matches the aud condition in the trust policy.
  • Relax Subject Condition: Use repo:MyOrganisationName/my-org-repository:* to allow all branches and environments.
  • Automate Policy Checks: Integrate policy validation into CI/CD pipelines to detect mismatches early.

Why Juniors Miss It

  • Lack of OIDC Understanding: Juniors may not grasp how OIDC tokens and trust policies interact.
  • Overlooking Conditions: Focus on permissions (sts:AssumeRoleWithWebIdentity) without verifying trust policy conditions.
  • Branch-Specific Assumptions: Assume the main branch condition applies universally, ignoring other branches or environments.

Leave a Comment