Token.actions.githubusercontent.com returns incorrect token #25223

TROEERI · 2021-10-07T15:05:40Z

TROEERI
Oct 7, 2021

We are using GitHub Actions AWS federation. After an update on Oct. 6th 2021 the URL to request the OIDC token has been changed to token.actions.githubusercontent.com.

The token returned still has iss/aud vstoken.actions.githubusercontent.com, which was the request URL before the change (see bottom of this post).

This now breaks our ODIC connection to AWS:
“An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audience”

Does anybody know how to deal with this issue?

{
  "nameid": "dddddddd-dddd-dddd-dddd-dddddddddddd",
  "scp": "Actions.GenericRead:00000000-0000-0000-0000-000000000000 Actions.UploadArtifacts:00000000-0000-0000-0000-000000000000/1:Build/Build/1205 DistributedTask.GenerateIdToken:74494030-3856-426f-9c1c-2ed8806a371a:6e2e6d2e-3d07-5d27-f52a-c3c85fbb7c29 LocationService.Connect ReadAndUpdateBuildByUri:00000000-0000-0000-0000-000000000000/1:Build/Build/1205",
  "IdentityTypeClaim": "System:ServiceIdentity",
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid": "DDDDDDDD-DDDD-DDDD-DDDD-DDDDDDDDDDDD",
  "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid": "dddddddd-dddd-dddd-dddd-dddddddddddd",
  "aui": "xyz",
  "sid": "xyz",
  "ac": "[{\"Scope\":\"refs/heads/main\",\"Permission\":3}]",
  "oidc_sub": "repo:fielmann-ag/kls:ref:refs/heads/main",
  "oidc_extra": "{\"ref\":\"refs/heads/main\",\"sha\":\"6abb1f42030e5d4fdc6b2e2d15419cd097add694\",\"repository\":\"fielmann-ag/kls\",\"repository_owner\":\"fielmann-ag\",\"run_id\":\"1316676112\",\"run_number\":\"22\",\"run_attempt\":\"1\",\"actor\":\"TROEERI\",\"workflow\":\"Deploy grafana dashboards\",\"head_ref\":\"\",\"base_ref\":\"\",\"event_name\":\"push\",\"ref_type\":\"branch\",\"job_workflow_ref\":\"fielmann-ag/kls/.github/workflows/eks-grafana-dashboards.yml@refs/heads/main\"}",
  "orchid": "74494030-3856-426f-9c1c-2ed8806a371a.deploy-to-dev.__default",
  "iss": "vstoken.actions.githubusercontent.com",
  "aud": "vstoken.actions.githubusercontent.com|vso:xyz",
  "nbf": 1633617542,
  "exp": 1633619342,
  "alg": "HS256"
}

Answered by TROEERI

Nov 9, 2021

The issue has been fixed by GitHub. Please have a look at the official documentation:

  <a href="https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services" target="_blank" rel="noopener nofollow ugc">GitHub Docs</a>

Configuring OpenID Connect in Amazon Web Services - GitHub Docs

View full answer

Frisch12 · 2021-10-11T08:34:08Z

Frisch12
Oct 11, 2021

Have the same issue!
Would be nice to get a fix for it as the Tokens that are generated by “token.actions.githubusercontent.com” are generally invalid!

0 replies

tomislacker · 2021-11-09T13:43:31Z

tomislacker
Nov 9, 2021

@TROEERI How were you able to find that JSON blob? I’m facing a similar situation and have a vested interest in troubleshooting further.

0 replies

TROEERI · 2021-11-09T14:01:35Z

TROEERI
Nov 9, 2021
Author

The issue has been fixed by GitHub. Please have a look at the official documentation:

  <a href="https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services" target="_blank" rel="noopener nofollow ugc">GitHub Docs</a>

Configuring OpenID Connect in Amazon Web Services - GitHub Docs

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Token.actions.githubusercontent.com returns incorrect token #25223

{{title}}

Replies: 3 comments

{{title}}

{{title}}

{{title}}

Select a reply

GitHub Community

Token.actions.githubusercontent.com returns incorrect token #25223

TROEERI Oct 7, 2021

Configuring OpenID Connect in Amazon Web Services - GitHub Docs

Replies: 3 comments

Frisch12 Oct 11, 2021

tomislacker Nov 9, 2021

TROEERI Nov 9, 2021 Author

Configuring OpenID Connect in Amazon Web Services - GitHub Docs

TROEERI
Oct 7, 2021

Frisch12
Oct 11, 2021

tomislacker
Nov 9, 2021

TROEERI
Nov 9, 2021
Author