GitHub Community
GitHub Actions is overriding Audience and sending it to api://demo instead of sts.amazonaws.com somehow? #156948
Replies: 5 comments 1 reply
-
|
The issue you're experiencing is likely due to a change in the OpenID Connect (OIDC) token audience (aud) that GitHub uses when authenticating with AWS via GitHub Actions. Previously, the token's audience was sts.amazonaws.com, which aligns with what AWS expects for assuming roles through OIDC. However, it appears that the audience has unexpectedly changed to api://demo between workflow runs, even though no explicit changes were made to your GitHub or AWS configurations. As a result, your workflow is now failing with the error: Not authorized to perform sts:AssumeRoleWithWebIdentity, since your IAM role's trust policy is probably configured to accept only tokens with the sts.amazonaws.com audience. To resolve this, you can either manually fetch the OIDC token with the correct audience using a custom curl call and use that token in an explicit aws sts assume-role-with-web-identity command, or you can modify your IAM trust policy to accept the new api://demo audience if you confirm it's consistently used and secure in your environment. The former is safer and gives you more control over the token content. Adding a debug step to print and inspect the OIDC token claims can help verify the audience and diagnose any further discrepancies in token behavior. |
Beta Was this translation helpful? Give feedback.
-
|
I have already tried printing the token claims and that didn't illuminate anything. The token is pulling the wrong audience from the get-go even though it is hardcoded to go to aws. I do not want to allowlist api://demo because that is not where the authentication needs to go. |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
|
The issue you’re facing where the GITHUB_TOKEN audience suddenly changed from sts.amazonaws.com to api://demo, causing the "Not authorized to perform sts:AssumeRoleWithWebIdentity" error, is likely due to an underlying change in how the OIDC token audience is being issued by GitHub’s OIDC provider. Even if no changes were made on your AWS or GitHub settings, GitHub may have updated their OIDC token audience by default. Hardcoding the audience parameter usually fixes this, but if it’s not working, it might be due to the GitHub Actions runner or the aws-actions/configure-aws-credentials action not properly respecting that override in your workflow version. You could try upgrading to the latest version of the aws-actions/configure-aws-credentials action or explicitly specify the audience field if supported. Also, verify that your IAM role’s trust policy includes the exact audience value currently present in the token (like api://demo) because if the audience in the token doesn’t match what the role trusts, AWS will reject the AssumeRoleWithWebIdentity call. Lastly, double-check for any GitHub platform-wide changes or outages affecting OIDC tokens around the time the issue started. |
Beta Was this translation helpful? Give feedback.
-
|
The solution is to explicitly set the audience to sts.amazonaws.com in your GitHub Actions workflow. By adding audience: sts.amazonaws.com under with: in your aws-actions/configure-aws-credentials step, you make sure it requests a OIDC token meant for AWS instead of the new api://demo. Also, double-check your AWS IAM role’s trust policy to make sure it accepts tokens with aud: "sts.amazonaws.com". Once you do this, the role should be assumed successfully again. |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Select Topic Area
Question
Body
Not sure what's going on here but my GITHUB_TOKEN audience has changed to api://demo instead of sts.amazonaws.com on a job that pushes terraform from GitHub to AWS. This happened between runs, 10 minutes apart, with no changes to any of the settings in AWS or GitHub.
With debug on, the runner returns the following: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity however there's been no changes on the AWS side and the role permissions and the OIDC connector are both intact (confirmed manually). The changes being pushed via terraform did not have anything to do with IAM.
Sanitized code snippet of the auth being used follows:
name: "Configure AWS Credentials" uses: aws-actions/[email protected] with: role-to-assume: 'ROLENAMEVAR' aws-region: 'REGIONVAR'I have also tried hardcoding
audience: sts.amazonaws.comandweb-identity-token-file: ${{ steps.get_token.outputs.token_file }}but there's been no effect.Beta Was this translation helpful? Give feedback.
All reactions