Assuming two roles in the same in composite action can't override previous step credential

[guitarrapc]

Summary

If I use configure-aws-credentials in composite action multiple times, it can't override previous credential.

Is it bug or expected behaviour?

Expected behaviour

There are 2 pattern work as expected.

Pattern A

If I call multiple aws-actions/configure-aws-credentials in workflow, it works as expected.

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
     # 1st
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@master
        with:
          aws-region: ap-northeast-1
          role-to-assume: arn:aws:iam::123456789012:role/myrole_A
          role-session-name: GitHubActions-${{ github.run_id }}
      - name: get-caller-identity shows myrole_A as expected
        run: aws sts get-caller-identity
      # 2nd
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@master
        with:
          aws-region: ap-northeast-1
          role-to-assume: arn:aws:iam::123456789012:role/myrole_B
          role-session-name: GitHubActions-${{ github.run_id }}
      - name: get-caller-identity shows myrole_B as expected
        run: aws sts get-caller-identity

1st get-caller-identity shows myrole_A.

{
    "UserId": "AROASJXUOK5UM7XZKRYTB:GitHubActions-1426675663",
    "Account": "***",
    "Arn": "arn:aws:sts::***:assumed-role/myrole_A/GitHubActions-1426675663"
}

2nd get-caller-identity shows myrole_B.

{
    "UserId": "AROASJXUOK5UM7XZKRYTB:GitHubActions-1426675663",
    "Account": "***",
    "Arn": "arn:aws:sts::***:assumed-role/myrole_B/GitHubActions-1426675663"
}

Pattern B

If I call multiple aws-actions/configure-aws-credentials in composite actions, it works as expected.

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Configure AWS Credentials
        uses: ./.github/actions/aws_oidc_auth_all

# ./.github/actions/aws_oidc_auth_all/action.yaml
name: aws oidc auth
description: |
  Get aws oidc auth.
runs:
  using: "composite"
  steps:
    # 1st
    - name: Configure AWS Credentials (Role A)
      uses: aws-actions/configure-aws-credentials@master
      with:
        aws-region: ap-northeast-1
        role-to-assume: arn:aws:iam::123456789012:role/myrole_A
        role-session-name: GitHubActions-${{ github.run_id }}
    - name: get-caller-identity shows myrole_A as expected
      run: aws sts get-caller-identity
      shell: bash
    # 2nd
    - name: Configure AWS Credentials (Role B)
      uses: aws-actions/configure-aws-credentials@master
      with:
        aws-region: ap-northeast-1
        role-to-assume: arn:aws:iam::123456789012:role/myrole_B
        role-session-name: GitHubActions-${{ github.run_id }}
    - name: get-caller-identity shows myrole_B as expected
      run: aws sts get-caller-identity
      shell: bash

1st get-caller-identity shows myrole_A.

{
    "UserId": "AROASJXUOK5UM7XZKRYTB:GitHubActions-1426687022",
    "Account": "***",
    "Arn": "arn:aws:sts::***:assumed-role/myrole_A/GitHubActions-1426687022"
}

2nd get-caller-identity shows myrole_B.

{
    "UserId": "AROASJXUOK5UHN4XWD3XF:GitHubActions-1426687022",
    "Account": "***",
    "Arn": "arn:aws:sts::***:assumed-role/myrole_B/GitHubActions-1426687022"
}

Actual behaviour

Pattern C. If I call composite actions include aws-actions/configure-aws-credentials, then call same composite actions in same job, 2nd call of composite action not override aws credentials.

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      # 1st <- Shows myrole_A, expected.
      - name: Configure AWS Credentials (Role A)
        uses: ./.github/actions/aws_oidc_auth_single
        with:
          role-to-assume: arn:aws:iam::123456789012:role/myrole_A
      # 2nd <- Shows myrole_A, unexpected!!
      - name: Configure AWS Credentials (Role B)
        uses: ./.github/actions/aws_oidc_auth_single
        with:
          role-to-assume: arn:aws:iam::123456789012:role/myrole_B

# ./.github/actions/aws_oidc_auth_single/action.yaml
name: aws oidc auth
description: |
  Get aws oidc auth.
inputs:
  role-to-assume:
    description: "AWS IAM Role to assume 1"
    required: true
runs:
  using: "composite" # this is key point
  steps:
    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@master
      with:
        aws-region: ap-northeast-1
        role-to-assume: ${{ inputs.role-to-assume }}
        role-session-name: GitHubActions-${{ github.run_id }}
    - name:  get-caller-identity shows myrole_A on both 1st and 2nd run. (2nd run must be myrole_B but incorrect result.)
      run: aws sts get-caller-identity
      shell: bash

1st get-caller-identity shows myrole_A.

{
    "UserId": "AROASJXUOK5UM7XZKRYTB:GitHubActions-1426687028",
    "Account": "***",
    "Arn": "arn:aws:sts::***:assumed-role/myrole_A/GitHubActions-1426687028"
}

However, 2nd get-caller-identity also shows myrole_A.

{
    "UserId": "AROASJXUOK5UHN4XWD3XF:GitHubActions-1426687028",
    "Account": "***",
    "Arn": "arn:aws:sts::***:assumed-role/myrole_A/GitHubActions-1426687028"
}

Reproduce step

1. Create IAM Roles myrole_A and myrole_B to accept OIDC Request.
2. Prepare composite actions ./.github/actions/aws_oidc_auth_single/action.yaml
3. Prepare workflow.
4. Run workflow and confirm both 1st and 2nd call of composite action shows "myrole_A"

[ghost]

unsetting these vars works...

      env:
        AWS_ACCESS_KEY_ID: ""
        AWS_SECRET_ACCESS_KEY: ""
        AWS_SESSION_TOKEN: ""
        AWS_DEFAULT_REGION: ""
        AWS_REGION: ""

[guitarrapc]

@ZacharyBenamram Interesting. I've try reset env on action(s Configure AWS Credentials, but no luck.

name: aws oidc auth
description: |
  Get aws oidc auth.
inputs:
  role-to-assume:
    description: "AWS IAM Role to assume 1"
    required: true
runs:
  using: "composite" # this is key point
  steps:
    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@master
      with:
        aws-region: ap-northeast-1
        role-to-assume: ${{ inputs.role-to-assume }}
        role-session-name: GitHubActions-${{ github.run_id }}
      env:
        AWS_ACCESS_KEY_ID: ""
        AWS_SECRET_ACCESS_KEY: ""
        AWS_SESSION_TOKEN: ""
        AWS_DEFAULT_REGION: ""
        AWS_REGION: ""
    - name: get-caller-identity is allowed to run on role.
      run: aws sts get-caller-identity
      shell: bash

2nd Configure AWS Credentials is not updated. (same as 1st run's role)

[cfbao]

this seems to be caused by this underlying issue: actions/runner#789

[pragmaticivan]

Has anyone found a workaround/fix for that one?

[DonDebonair]

I would love for this issue to be fixed, or the underlying one. And I'm also curious about potential workarounds

[bart-lisiecki-form3]

This was probably suggested multiple times over multiple issues, but why not set creds as configure-aws-credentials outputs in addition to exporting them?

This would provide a workaround for the actions/runner#789 and seems to be a good practice anyway, as it does not pollute whole job's env.

[scub]

For anyone still looking for workaround you can find a temporary fix described here #236 (comment)

[mcblair]

I'm standing on the shoulders of giants with this, but here is something that I whipped up to meet my use case: https://github.com/marketplace/actions/configure-aws-profile

[shousper]

Really seems like it should be a piece of cake to add an option that skips the call to exportCredentials for users that require multiple profiles be authenticated.

Force exporting the AWS_* keys makes this a royal PITA for anyone with more than 1 AWS account to work with in a single job..

[peterwoodworth]

A different combination between enabling unset-current-credentials and role-chaining should work for any instances where this action is invoked multiple times. You can do this on v3, check out the README.

Please open up a new issue if you continue to have problems, it seems there are different problems being described in the comments of this issue

[github-actions]

** Note **
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.