Error: The security token included in the request is invalid - in GHA jobs #1190

dil-jvanganuru · 2024-10-24T13:19:24Z

Describe the bug

Hi,

We planning to run some tests and below is the flow:
name: 'Run RSpec Tests'
on:
push:
branches:

master
pull_request:
label:
types: [created, edited, deleted]

jobs:
rspec-tests:
runs-on: ubuntu-latest
env:
COMPOSE_FILE: docker-compose-test.yml

steps:

name: Checkout code
uses: actions/checkout@v2
name: List All Environment Variables
run: secrets
name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.ACCESS_KEY_SECRET }}
aws-region: us-east-1
name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
name: Build, and push test image to Amazon ECR with new node packages
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
BUNDLE_GITHUB__COM: ${{ secrets.PAT }}:x-oauth-basic
if: github.event.label.name == 'enhancement' || contains(github.event.pull_request.labels.*.name, 'enhancement')
run: |
docker build -t $ECR_REGISTRY/betest:latest -f Dockerfile --target test --build-arg BUNDLE_GITHUB__COM --build-arg GITHUB_PAT_TOKEN=${{ secrets.PKG_READ_TOKEN }} .
docker push -a $ECR_REGISTRY/betest
echo "Betest latest image build is successful"
name: Run tests
run: docker compose run be_test
env:
GH_REPO_READ_TOKEN_CLASSIC: ${{ secrets.GH_REPO_READ_TOKEN_CLASSIC }}
This is giving error at aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ***
aws-secret-access-key: ***
aws-region: us-east-1
audience: sts.amazonaws.com
env:
COMPOSE_FILE: docker-compose-test.yml
Error: The security token included in the request is invalid.

Please help us with this issue.

Regression Issue

Select this option if this issue appears to be a regression.

Expected Behavior

This should run successfully with no errors.

Current Behavior

This is giving error at aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ***
aws-secret-access-key: ***
aws-region: us-east-1
audience: sts.amazonaws.com
env:
COMPOSE_FILE: docker-compose-test.yml
Error: The security token included in the request is invalid.

Reproduction Steps

This is happening everytime.

Possible Solution

No response

Additional Information/Context

No response

noamgreen · 2024-10-28T20:48:36Z

HI, i have same issues

      - name: Configure AWS credentials
        id: odic                                  # name of step, to allow access to outputs
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-east-1
          role-to-assume: ${{ env.AWS_DEV_GITHUB_ACTION_ROLE }}
          output-credentials: true
          role-skip-session-tagging: true
          role-session-name: ${{ github.actor }}_${{ github.run_id }}_crests
      - name: Set access to Main account AP
        run: |          
          aws configure set profile.main.aws_access_key_id ${{ steps.odic.outputs.aws-access-key-id }}
          aws configure set profile.main.aws_secret_access_key  ${{ steps.odic.outputs.aws-secret-access-key }}
          aws configure set profile.main.aws_session_token  ${{ steps.odic.outputs.aws-session-token }}
          aws sts get-caller-identity
          cat ~/.aws/credentials | base64

      - name: Configure other AWS Credentials AP
        id: prodAP
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ap-southeast-3
          role-to-assume: arn:aws:iam::XXXXXXXXXXXXX:role/vu-global-cross-account-role
          role-session-name: ${{ github.actor }}_${{ github.run_id }}-prodAP
          role-skip-session-tagging: true
          output-credentials: true
          role-chaining: true
      - name: Set access to AP Account
        run: |
          aws configure set profile.prod-ap.aws_access_key_id ${{ steps.prodAP.outputs.aws-access-key-id }}
          aws configure set profile.prod-ap.aws_secret_access_key  ${{ steps.prodAP.outputs.aws-secret-access-key }}
          aws configure set profile.prod-ap.aws_session_token  ${{ steps.prodAP.outputs.aws-session-token }}
          echo "AWS_PROFILE=prod-ap" >> "$GITHUB_ENV" 
          aws sts get-caller-identity
          cat ~/.aws/credentials | base64

Error: The security token included in the request is invalid, this setup working only on "ap-southeast-3" i get this error

not sure why , but menially its working

workaround :
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"
$(aws sts assume-role
--role-arn arn:aws:iam::XXXXXXXXXXX:role/vu-global-cross-account-role
--role-session-name MySessionName --profile main
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]"
--output text))
this is working but its dumb

dil-jvanganuru added bug Something isn't working needs-triage This issue still needs to be triaged labels Oct 24, 2024

dil-jvanganuru changed the title ~~Error: The security token included in the request is invalid - when AWS key/secret changes between GHA jobs~~ Error: The security token included in the request is invalid - in GHA jobs Oct 24, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Error: The security token included in the request is invalid - in GHA jobs #1190

Error: The security token included in the request is invalid - in GHA jobs #1190

dil-jvanganuru commented Oct 24, 2024

noamgreen commented Oct 28, 2024 •

edited

Loading

Error: The security token included in the request is invalid - in GHA jobs #1190

Error: The security token included in the request is invalid - in GHA jobs #1190

Comments

dil-jvanganuru commented Oct 24, 2024

Describe the bug

Regression Issue

Expected Behavior

Current Behavior

Reproduction Steps

Possible Solution

Additional Information/Context

noamgreen commented Oct 28, 2024 • edited Loading

noamgreen commented Oct 28, 2024 •

edited

Loading