Skip to content

Token.actions.githubusercontent.com returns incorrect token #25223

Token.actions.githubusercontent.com returns incorrect token #25223
Oct 7, 2021 · 3 answers

We are using GitHub Actions AWS federation. After an update on Oct. 6th 2021 the URL to request the OIDC token has been changed to token.actions.githubusercontent.com.

The token returned still has iss/aud vstoken.actions.githubusercontent.com, which was the request URL before the change (see bottom of this post).

This now breaks our ODIC connection to AWS:
“An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audience”

Does anybody know how to deal with this issue?

{
  "nameid": "dddddddd-dddd-dddd-dddd-dddddddddddd",
  "scp": "Actions.GenericRead:00000000-0000-0000-0000-000000000000 Actions.UploadArtifacts:00000000-0000-0000-0000-000000000000/1:Build/Build/1205 DistributedTask.GenerateIdToken:74494030-3856-426f-9c1c-2ed8806a371a:6e2e6d2e-3d07-5d27-f52a-c3c85fbb7c29 LocationService.Connect ReadAndUpdateBuildByUri:00000000-0000-0000-0000-000000000000/1:Build/Build/1205",
  "IdentityTypeClaim": "System:ServiceIdentity",
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid": "DDDDDDDD-DDDD-DDDD-DDDD-DDDDDDDDDDDD",
  "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid": "dddddddd-dddd-dddd-dddd-dddddddddddd",
  "aui": "xyz",
  "sid": "xyz",
  "ac": "[{\"Scope\":\"refs/heads/main\",\"Permission\":3}]",
  "oidc_sub": "repo:fielmann-ag/kls:ref:refs/heads/main",
  "oidc_extra": "{\"ref\":\"refs/heads/main\",\"sha\":\"6abb1f42030e5d4fdc6b2e2d15419cd097add694\",\"repository\":\"fielmann-ag/kls\",\"repository_owner\":\"fielmann-ag\",\"run_id\":\"1316676112\",\"run_number\":\"22\",\"run_attempt\":\"1\",\"actor\":\"TROEERI\",\"workflow\":\"Deploy grafana dashboards\",\"head_ref\":\"\",\"base_ref\":\"\",\"event_name\":\"push\",\"ref_type\":\"branch\",\"job_workflow_ref\":\"fielmann-ag/kls/.github/workflows/eks-grafana-dashboards.yml@refs/heads/main\"}",
  "orchid": "74494030-3856-426f-9c1c-2ed8806a371a.deploy-to-dev.__default",
  "iss": "vstoken.actions.githubusercontent.com",
  "aud": "vstoken.actions.githubusercontent.com|vso:xyz",
  "nbf": 1633617542,
  "exp": 1633619342,
  "alg": "HS256"
}

The issue has been fixed by GitHub. Please have a look at the official documentation:

  <a href="https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services" target="_blank" rel="noopener nofollow ugc">GitHub Docs</a>

Configuring OpenID Connect in Amazon Web Services - GitHub Docs

Replies

3 suggested answers

Have the same issue!
Would be nice to get a fix for it as the Tokens that are generated by “token.actions.githubusercontent.com” are generally invalid!

0 replies

@TROEERI How were you able to find that JSON blob? I’m facing a similar situation and have a vested interest in troubleshooting further.

0 replies

The issue has been fixed by GitHub. Please have a look at the official documentation:

  <a href="https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services" target="_blank" rel="noopener nofollow ugc">GitHub Docs</a>

Configuring OpenID Connect in Amazon Web Services - GitHub Docs

0 replies
Answer selected
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants