Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Output aws-account-id Wrong with role-chaining: true #911

Open
eabrouwer3 opened this issue Nov 7, 2023 · 2 comments
Open

Output aws-account-id Wrong with role-chaining: true #911

eabrouwer3 opened this issue Nov 7, 2023 · 2 comments
Labels
bug Something isn't working p2

Comments

@eabrouwer3
Copy link

Describe the bug

We have a custom action in our private org to get AWS creds for any of our AWS accounts. We first assume the primary role with all permissions and then we use that role to assume a role in the specific account to run code deploys. It looks like this:

name: 'Configure AWS for Deploy'
description: 'Authenticate to the Deployment role for a given AWS account'
inputs:
  target-account:
    description: 'Target AWS account to use'
    required: true
outputs:
  aws-account-id:
    description: 'The AWS account ID of the target account'
    value: ${{ steps.second-auth.outputs.aws-account-id }}
runs:
  using: "composite"
  steps:
    - name: Get Target Account Details
      id: aws-deets
      uses: private-org/get-aws-account-details-action@v1
      with:
        account-name: ${{ inputs.target-account }}
    - name: OIDC to AWS
      uses: aws-actions/configure-aws-credentials@v4
      id: first-auth
      with:
        role-to-assume: 'arn:aws:iam::123456789012:role/gha_oidc_assume_role'
        aws-region: us-east-1
    - name: DEBUG BEFORE
      run: echo "AWS Account: ${{ steps.first-auth.outputs.aws-account-id }}"  # "AWS Account: 123456789012"
      shell: bash
    - name: Assume deployment role for account
      uses: aws-actions/configure-aws-credentials@v4
      id: second-auth
      with:
        aws-region: us-east-1
        role-to-assume: arn:aws:iam::${{ steps.aws-deets.outputs.accountId }}:role/deployment-role
        role-chaining: true
        role-skip-session-tagging: true
        role-duration-seconds: 3600
    - name: DEBUG AFTER
      run: echo "AWS Account: ${{ steps.second-auth.outputs.aws-account-id }}"  # "AWS Account: 123456789012" <-- Expected ${{ steps.aws-deets.outputs.accountId }}
      shell: bash

Expected Behavior

The "DEBUG AFTER" should print out the account ID of the deployment role. And the action output aws-account-id should match that role's account.

Current Behavior

The "DEBUG AFTER" prints out the account id of the gha oidc role. The same thing that the "DEBUG BEFORE" step prints out. And the aws-account-id output from the action matches that first account ID.

Reproduction Steps

on: push

jobs:
  auth-with-account:
    runs-on: ubuntu-latest
    permissions:
      id-token: write

    steps:
      - name: OIDC to AWS
        uses: aws-actions/configure-aws-credentials@v4
        id: first-auth
        with:
          aws-region: us-east-1
          role-to-assume: 'arn:aws:iam::123456789012:role/gha_oidc_assume_role'
      - name: DEBUG BEFORE
        run: echo "AWS Account: ${{ steps.first-auth.outputs.aws-account-id }}"  # "AWS Account: 123456789012"
      - name: Assume deployment role for account
        uses: aws-actions/configure-aws-credentials@v4
        id: second-auth
        with:
          aws-region: us-east-1
          role-to-assume: arn:aws:iam::987654321098:role/deployment-role
          role-chaining: true
          role-skip-session-tagging: true
      - name: DEBUG AFTER
        run: echo "AWS Account: ${{ steps.second-auth.outputs.aws-account-id }}"  # "AWS Account: 123456789012" <-- Expected "AWS Account: 987654321098"

Possible Solution

I'm wondering if the fact that we're calling exportAccountId twice is causing issues. Or that it's not picking up the new session when we call it at the very end of the action after assuming the role.

We call it here for both calls to the action, and we call it here when we're using role-chaining or passing creds through.

Additional Information/Context

No response

@eabrouwer3 eabrouwer3 added bug Something isn't working needs-triage This issue still needs to be triaged labels Nov 7, 2023
@tim-finnigan
Copy link
Contributor

Thanks for reporting this issue. Role-chaining was just added in https://github.com/aws-actions/configure-aws-credentials/pull/688/files a few months ago and this may have been something that was missed.

@tim-finnigan tim-finnigan added p2 and removed needs-triage This issue still needs to be triaged labels Nov 26, 2023
@andrew-wiggins
Copy link

andrew-wiggins commented Mar 6, 2024

My team came across this bug as well and after some testing it seems to be working as expected in main but not in a tagged version (e.g. v4 or v4.0.2) 🤔

@tim-finnigan do you think we could cut a new tagged version release with the latest main in it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working p2
Projects
None yet
Development

No branches or pull requests

3 participants