-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login to AWS ECR fails #119
Comments
Check out #107 Need to override the docker image that |
Ahh yes, I checked the other issues but not thoroughly enough. It is a bit inconvenient that you have to choose between full compatibility with GitHub Actions by default and making your users pull an 18GB image, but your choice makes sense I think. This can be closed. In any case, thank you for a prompt response and for providing an option for this! |
which docker image can I use today to be able to perform the login via OIDC? |
+1, I think I'm running into this issue. Trying to use AWS's OIDC action. Partial excerpt below: name: AWS CDK Deploy
on:
push:
branches:
- main
- develop
permissions:
id-token: write
contents: read
jobs:
AssumeRoleAndDeploy:
runs-on: ubuntu-latest
environment:
name: ${{ (github.ref == 'refs/heads/main') && 'aws_prod_v2' || 'aws_staging_v2' }}
steps:
- name: Git clone the repository
uses: actions/checkout@v3
- name: Print Environment Variables for Debugging
run: |
echo "Repository Name: ${{ github.repository }}"
echo "Branch Name: ${{ github.ref_name }}"
echo "Environment Name: ${{ vars.environment }}"
echo "AWS Account ID: ${{ vars.AWS_ACCOUNT_ID }}"
echo "AWS Region: ${{ vars.AWS_REGION }}"
echo "IAM Role Name: ${{ vars.GH_ACTION_IAM_ROLE_NAME }}"
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4.0.1
with:
role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.GH_ACTION_IAM_ROLE_NAME }}"
aws-region: ${{ vars.AWS_REGION }}
role-skip-session-tagging: true # required for the OIDC method of credential retrieval we're using
- name: Log assumed IAM role
run: aws sts get-caller-identity Getting this error:
|
none. If you could authenticate using act via OIDC to aws, an attacker could do it as well.
At most you could get locally a self-signed oidc token, which is rejected by aws as long as you don't register your own jwk key as a trusted oidc source. If you want to go the self-signed oidc way I can help you to get this working by porting my fake oidc provider to nektos/act. This is implemented in my similiar project for emulatating GitHub Actions. |
I am trying to execute the GitHub action to push a Docker image to AWS ECR, specifically this one. However, even after supplying the access key, secret key and region, this is the output:
Here is a job definition in order to reproduce this:
There is a
docker login
in theindex.js
of that action, I guess that is where it fails, but how can I make this pass? Am I doing something wrong or would this be a feature request?The text was updated successfully, but these errors were encountered: