AWS Account Information:
- Got two AWS Accounts, Account1 and Account2
- OIDC Role (OIDC_ROLE) present in Account 1
- Authorizes Github Workflow to create resources in Account 1
- IAM Role (BUILDS_ROLE) present in Account 2
- Authorizes Github workflow to assume the role and create State files and DynamoDB lock in Account 2
Github Workflow:
- My github workflow has two roles ( "OIDC_ROLE" & "BUILDS_ROLE" ) as mentioned above.
- name: Configure AWS credentials from Primary AWS account
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ env.OIDC_ROLE }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
role-session-name: GitHub-Actions-Builds-OIDC-Terraform
- name: Setup Terraform Backend on the fly
working-directory: ${{ env.WORKING_DIR }}
id: backend
run: |
cat > backend.tf << EOF
terraform {
backend "s3" {
bucket = "${{ env.BUCKET_NAME }}"
key = "${{ env.STATE_PREFIX }}/${{ env.AWS_DEFAULT_REGION }}/policies.tfstate"
role_arn = "${{ env.BUILDS_ROLE }}"
region = "${{ env.AWS_DEFAULT_REGION }}"
dynamodb_table = "${{ env.DYNAMODB_TABLE }}"
}
}
EOF
- name: Terraform Init
working-directory: ${{ env.WORKING_DIR }}
id: init
run: |
git config --global url."https://oauth2:$token@github.com/chargebee/cb-tf-modules.git".insteadOf "ssh://git@github.com/chargebee/cb-tf-modules.git"
terraform init --reconfigure
env:
token: ${{ secrets.CI_GITHUB_READ_ONLY_TOKEN }}
Issue:
- The mentioned step, "Configure AWS credentials from Primary AWS account" works as expected
- However the step, "Terraform Init" fails, as my github actions workflow is unable to assume the BUILDS_ROLE.
Error:
╷
│ Error: error configuring S3 Backend: IAM Role (arn:aws:iam::123427971234:role/builds-terraform-backend-assume-role) cannot be assumed.
│
│ There are a number of possible causes of this - the most common are:
│ * The credentials used in order to assume the role are invalid
│ * The credentials do not have appropriate permission to assume the role
│ * The role ARN is not valid
│
│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│ For verbose messaging see aws.Config.CredentialsChainVerboseErrors
What I did
- In the Trust policy of the "builds-terraform-backend-assume-role" / BUILDS_ROLE, i've added the role to trust any incoming connections from Account 1
- My Organization name here is mentioned as sampler-terra and repository is templates.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::678927976789:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
},
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::678927976789:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:sampler-terra/templates:*",
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
}
Desired Output:
- For the BUILDS_ROLE IAM to be assumed by Github Actions
