Error: User: * is not authorized to perform: sts:AssumeRole on resource: * Github

Question

I think this is a silly question but I can not find its answer on the internet. I have tried many things but nothing works.

I get the below error.

And is my deploy.yml file.

name: Deploy to production

on:
  push:
    branches: [ "main" ]

jobs:

  build:
    name: Build image
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          aws-region: ap-south-1
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Build, tag, and push docker image to Amazon ECR
        env:
          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          REPOSITORY: simplebank
          IMAGE_TAG: ${{ github.sha }}
        run: |
          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
          docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG

Thanks

Edit

on Amazon Elastic Container Registry Permission, I have added below policy but still not working.

Answer

I have removed role-to-assume from deploy.yml file and used v1 with secret keys and it works fine. but I still get answer with role-to-assume .

The error is clear. You have no permissions to assume `secrets.AWS_ROLE_TO_ASSUME`? Who created that role? What iam user/role do you use to assume the `secrets.AWS_ROLE_TO_ASSUME`? — Marcin, Apr 06 '23 at 06:13
When you're using aws key and secret, why do you need to use role? — Haridarshan, Apr 06 '23 at 06:19
I have created all from a single user and I have added my user in role-to-assume. I have tried v1 for authentication which requires secret keys but it also failed. — Girish Bhutiya, Apr 06 '23 at 06:29
To assume a role you need to add the policy under the roles Trust relationships not the roles policy. — furydrive, Apr 06 '23 at 09:41
For assume role to work, you will need to configure GitHub OIDC provider in AWS and will have to attach role to Identity Provider. Ref. [OpenID Connect in AWS](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) — Haridarshan, Apr 06 '23 at 13:39

Error: User: *** is not authorized to perform: sts:AssumeRole on resource: *** Github

0 Answers0

Error: User: * is not authorized to perform: sts:AssumeRole on resource: * Github