Could not load credentials from any providers

See original GitHub issue

I have already checked related issues #202 #188 , but in my case I am not using Dependabot.

This is my pipeline.yaml truncated till this action:

name: My Deployment
on:
  push:
    branches:
      - master

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Setup node
        uses: actions/setup-node@v2
        with:
          node-version: '14'
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ap-southeast-1
          role-to-assume:arn:aws:iam::000000000000:role/github-actions-matteogioioso-saml-proxy
          role-session-name: GitHubActions
      
        ....

This is my trust relationship for that role:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::000000000:oidc-provider/vstoken.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "vstoken.actions.githubusercontent.com:sub": "repo:MatteoGioioso/saml-proxy:*"
        }
      }
    }
  ]
}

This is my OICD provider setup in IAM

image

And this is the error:

Run aws-actions/configure-aws-credentials@v1
  with:
    aws-region: ap-southeast-1
    role-to-assume: arn:aws:iam::000000000000:role/github-actions-matteogioioso-saml-proxy
    role-session-name: GitHubActions
Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers

I am not using a self-hosted runner

What am I doing wrong? Maybe the audience?

Thanks

UPDATE:

it seems like this method return false, because you do not validate credentials in the assumeRole method:

    const useGitHubOIDCProvider = () => {
        // The assumption here is that self-hosted runners won't be populating the `ACTIONS_ID_TOKEN_REQUEST_TOKEN`
        // environment variable and they won't be providing a web idenity token file or access key either.
        // V2 of the action might relax this a bit and create an explicit precedence for these so that customers
        // can provide as much info as they want and we will follow the established credential loading precedence.
        return roleToAssume && process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN && !accessKeyId && !webIdentityTokenFile
    }

honestly I cannot find a way to echo this variable ACTIONS_ID_TOKEN_REQUEST_TOKEN

UPDATE 2:

ok, this variable ACTIONS_ID_TOKEN_REQUEST_TOKEN is not set, I am not sure why is not there and also I cannot find much information about it.

I am willing to submit a PR if needed.

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:15
  • Comments:56 (7 by maintainers)

github_iconTop GitHub Comments

140reactions
androidwiltroncommented, Sep 30, 2021

so i think there is an undocumented permissions thing you need to use in your workflow to get it

permissions:
  id-token: write
  contents: read

try that

15reactions
idelfonsog2commented, Jan 13, 2022

seems to be true about defining the permissions for the configuration step.

if you follow https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services it will help

I was having the same issue after pushing 20 commits to try different things it worked 😅

The steps:

  1. Configure the Identity Provider in the IAM AWS console (use the info in the link)
  2. Create a new role that includes the identity provider <---- important
  3. Define the permissions in your YAML file (like below)
  4. Add the role’s ARN (not the OIDC arn) to the configuration step in the YAML
name: AWS Lambda

on:
  workflow_dispatch:
  push:
    branches: [ main ]
permissions:
      id-token: write
      contents: read
jobs:
  build:
    runs-on: ubuntu-latest
    steps:....
Read more comments on GitHub >

github_iconTop Results From Across the Web

"Could not load credentials from any providers" while using ...
Using a json file to set the credentials still led to the error. Using only the config object without the flag -inMemory caused...
Read more >
Setting Credentials in Node.js - AWS SDK for JavaScript
Credentials loaded from AWS IAM using the credentials provider of the Amazon EC2 instance (if configured in the instance metadata)
Read more >
Loading Credentials in Node.js from the Shared ...
When the SDK for JavaScript loads, it automatically searches the shared credentials file, which is named "credentials". Where you keep the shared ...
Read more >
aws/aws-sdk-js
originalError : { message: 'Could not load credentials from any providers', code: 'CredentialsError', time: 2018-11-12T16:20:24.582Z, retryable: true, ...
Read more >
Unable to load AWS credentials
Scenario 1: To access AWS resources such as S3, SQS, or Redshift, the access permissions have to be provided either through an IAM...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found