-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: 'Incorrect token audience' error for GitHubOidcProvider
#1350
fix: 'Incorrect token audience' error for GitHubOidcProvider
#1350
Conversation
GitHubOidcProvider
GitHubOidcProvider
GitHubOidcProvider
10db93b
to
cef0bfa
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
I think you'll need to update the test too.
This is an update to the construct that creates IAM resources for GitHub Actions, first introduced with #823 in early October 2021. Apparently the `ClientIdList` field should no longer be `sigstore`, as of 19th October 2021: aws-actions/configure-aws-credentials#291 aws-actions/configure-aws-credentials#280 (comment) aws-actions/configure-aws-credentials#284 The new value is `sts.amazonaws.com`, which I think corresponds to this line in the docs: > For the "Audience": Use sts.amazonaws.com if you are using the official action. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws With the old value of `sigstore` in the `AWS::IAM::OIDCProvider` `ClientIdList` field, running the `aws-actions/configure-aws-credentials` GitHub Action will give you a "Error: Incorrect token audience" error: https://github.com/guardian/facia-scala-client/runs/7025740057?check_suite_focus=true#step:3:6
cef0bfa
to
36a4bdf
Compare
The Dependabot is the typical solution here, but it wasn't quite working. I've dropped the requirement to have this check pass, as we should think of ways to automate this. |
🎉 This PR is included in version 45.1.3 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This is an update to the
GitHubOidcProvider
construct that creates IAM resources for GitHub Actions, first introduced by PR #823 in early October 2021 - apparently theClientIdList
value should no longer besigstore
, as of 19th October 2021!The new value is
sts.amazonaws.com
, which I think corresponds to this line in the GitHub docs:When using the old value of
sigstore
in theAWS::IAM::OIDCProvider
ClientIdList
field, running theaws-actions/configure-aws-credentials
GitHub Action will give you an"Error: Incorrect token audience"
error:https://github.com/guardian/facia-scala-client/runs/7025740057?check_suite_focus=true#step:3:6