Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github-Actions - Unable to Assume secondary role_arn from workflow #316

Closed
iamajaz opened this issue Apr 3, 2023 · 2 comments
Closed

Github-Actions - Unable to Assume secondary role_arn from workflow #316

iamajaz opened this issue Apr 3, 2023 · 2 comments

Comments

@iamajaz
Copy link

iamajaz commented Apr 3, 2023

Description

AWS Account Information:

  • Got two AWS Accounts, Account1 and Account2
  • OIDC Role (OIDC_ROLE) present in Account 1
    • Authorizes Github Workflow to create resources in Account 1
  • IAM Role (BUILDS_ROLE) present in Account 2
    • Authorizes Github workflow to assume the role and create State files and DynamoDB lock in Account 2

Github Workflow:

  • My github workflow has two roles ( "OIDC_ROLE" & "BUILDS_ROLE" ) as mentioned above.
      - name: Configure AWS credentials from Primary AWS account
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: ${{ env.OIDC_ROLE }}
          aws-region: ${{ env.AWS_DEFAULT_REGION }}
          role-session-name: GitHub-Actions-Builds-OIDC-Terraform

      - name: Setup Terraform Backend on the fly
        working-directory: ${{ env.WORKING_DIR }}
        id: backend
        run: |
          cat > backend.tf << EOF
          terraform {
            backend "s3" {
              bucket         = "${{ env.BUCKET_NAME }}"
              key            = "${{ env.STATE_PREFIX }}/${{ env.AWS_DEFAULT_REGION }}/policies.tfstate"
              role_arn       = "${{ env.BUILDS_ROLE }}"
              region         = "${{ env.AWS_DEFAULT_REGION }}"
              dynamodb_table = "${{ env.DYNAMODB_TABLE }}"
            }
          }
          EOF

      - name: Terraform Init
        working-directory: ${{ env.WORKING_DIR }}
        id: init
        run: |
          git config --global url."https://oauth2:$token@github.com/chargebee/cb-tf-modules.git".insteadOf "ssh://git@github.com/chargebee/cb-tf-modules.git"
          terraform init --reconfigure
        env: 
          token: ${{ secrets.CI_GITHUB_READ_ONLY_TOKEN }}

Issue:

  • The mentioned step, "Configure AWS credentials from Primary AWS account" works as expected
  • However the step, "Terraform Init" fails, as my github actions workflow is unable to assume the BUILDS_ROLE.

Error:

╷
│ Error: error configuring S3 Backend: IAM Role (arn:aws:iam::123427971234:role/builds-terraform-backend-assume-role) cannot be assumed.
│ 
│ There are a number of possible causes of this - the most common are:
│   * The credentials used in order to assume the role are invalid
│   * The credentials do not have appropriate permission to assume the role
│   * The role ARN is not valid
│ 
│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│ 	For verbose messaging see aws.Config.CredentialsChainVerboseErrors

What I did

  • In the Trust policy of the "builds-terraform-backend-assume-role" / BUILDS_ROLE, i've added the role to trust any incoming connections from Account 1
  • My Organization name here is mentioned as sampler-terra and repository is templates.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::678927976789:root"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::678927976789:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:sampler-terra/templates:*",
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Desired Output:

  • For the BUILDS_ROLE IAM to be assumed by terraform init, plan and apply when backend is configured.
@bflad
Copy link
Member

bflad commented Nov 29, 2023

Hi @iamajaz 👋 Thank you for raising this and sorry you are running into trouble here. Please note that this GitHub repository's issue tracker is only used for feature requests and bug reports for the setup-terraform GitHub action itself. Since this appears to be a Terraform S3 backend question, my best recommendation would be to submit a topic in the Terraform section of HashiCorp Discuss, where there are many more people asking and answering usage questions such as these.

@bflad bflad closed this as not planned Won't fix, can't repro, duplicate, stale Nov 29, 2023
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bflad @iamajaz