Token.actions.githubusercontent.com returns incorrect token

We are using GitHub Actions AWS federation. After an update on Oct. 6th 2021 the URL to request the OIDC token has been changed to token.actions.githubusercontent.com.

The token returned still has iss/aud vstoken.actions.githubusercontent.com, which was the request URL before the change (see bottom of this post).

This now breaks our ODIC connection to AWS:
“An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audience”

Does anybody know how to deal with this issue?

{
  "nameid": "dddddddd-dddd-dddd-dddd-dddddddddddd",
  "scp": "Actions.GenericRead:00000000-0000-0000-0000-000000000000 Actions.UploadArtifacts:00000000-0000-0000-0000-000000000000/1:Build/Build/1205 DistributedTask.GenerateIdToken:74494030-3856-426f-9c1c-2ed8806a371a:6e2e6d2e-3d07-5d27-f52a-c3c85fbb7c29 LocationService.Connect ReadAndUpdateBuildByUri:00000000-0000-0000-0000-000000000000/1:Build/Build/1205",
  "IdentityTypeClaim": "System:ServiceIdentity",
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid": "DDDDDDDD-DDDD-DDDD-DDDD-DDDDDDDDDDDD",
  "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid": "dddddddd-dddd-dddd-dddd-dddddddddddd",
  "aui": "xyz",
  "sid": "xyz",
  "ac": "[{\"Scope\":\"refs/heads/main\",\"Permission\":3}]",
  "oidc_sub": "repo:fielmann-ag/kls:ref:refs/heads/main",
  "oidc_extra": "{\"ref\":\"refs/heads/main\",\"sha\":\"6abb1f42030e5d4fdc6b2e2d15419cd097add694\",\"repository\":\"fielmann-ag/kls\",\"repository_owner\":\"fielmann-ag\",\"run_id\":\"1316676112\",\"run_number\":\"22\",\"run_attempt\":\"1\",\"actor\":\"TROEERI\",\"workflow\":\"Deploy grafana dashboards\",\"head_ref\":\"\",\"base_ref\":\"\",\"event_name\":\"push\",\"ref_type\":\"branch\",\"job_workflow_ref\":\"fielmann-ag/kls/.github/workflows/eks-grafana-dashboards.yml@refs/heads/main\"}",
  "orchid": "74494030-3856-426f-9c1c-2ed8806a371a.deploy-to-dev.__default",
  "iss": "vstoken.actions.githubusercontent.com",
  "aud": "vstoken.actions.githubusercontent.com|vso:xyz",
  "nbf": 1633617542,
  "exp": 1633619342,
  "alg": "HS256"
}
4 Likes

Have the same issue!
Would be nice to get a fix for it as the Tokens that are generated by “token.actions.githubusercontent.com” are generally invalid!