-
Notifications
You must be signed in to change notification settings - Fork 478
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC not working with GitHub App #930
Comments
Thanks for reaching out. This looks like it may be related to past issues such as #373. Are the comments here or here helpful? Not sure if https://github.com/actions/create-github-app-token or somewhere else might be a better place for this discussion. |
@tim-finnigan thanks for the quick reply. I'm afraid my issue is not related to the links you shared, as that one is not related to using GitHub App for authentication, they are using public repo forks, and I'm using private repos without forks. I posted here insteadd of the "create-github-app-token" repo because that error message is coming from this action, also other actions work fine with the token generated by the "create-github-app-token" action. |
@tim-finnigan I went through this action's code, and figured that you validate if the So I logged an issue on create-github-app-token to better understand, maybe they just need to set this env var - as well as I let this issue opened so you can see my comment, but feel free to close it. Thanks for your help!!! |
Comments on closed issues are hard for our team to see. |
Describe the bug
When trying to configure aws credentials setting the
GITHUB_TOKEN
env var using a GitHub App token, the action fails to fetch credentials with the error below:The GitHub App is installed in the Organization and has the permissions required.
If I don't set the
GITHUB_TOKEN
and instead just add the usualpermissions
withid-token
on the job, it works fine, but adding apermissions
on the job makes it not possible to setGITHUB_TOKEN
for other steps that need the GitHub App token instead of the temp token created by the workflow.My workaround was to split my workflow into multiple jobs, so now I have an isolated job for
configure-aws-credentials
and other steps related to AWS (e.g. push docker image to ECR), but this is a bit tedious as now I need to checkout the code for every job, properly share outputs, using a single job was more convenient.Another idea would be to just use assume role with static IAM credentials (e.g. access key and secret), but that's not the recommended way.
Expected Behavior
It should be able to fetch credentials using a GitHub App token from a workflow under the GitHub repo that was setup in the Identity Provider on AWS side.
Current Behavior
It fails to find the credentials.
Reproduction Steps
The workflow looks like this:
Possible Solution
I think by overriding the
GITHUB_TOKEN
, somehow AWS thinks the request is not coming from the authorized GitHub Repo, so perhaps this is a matter ofactions/create-github-app-token@v1
having to support a way to generate a token on behalf of the organization (or user that triggered the workflow?).So it's not clear if this issue can be fixed on this action.
Additional Information/Context
No response
The text was updated successfully, but these errors were encountered: