Menu
I have two GitHub Actions, both are identical except that one is triggered manually, and the other when a pull request is completed on the main branch. The manual-deploy workflow works just fine, however the deploy one is failing with "Error: Not authorized to perform sts:AssumeRoleWithWebIdentity". What am I missing? My guess is that the sub must be different between the two events? How do I check?
This works
name: manual-deploy
on:
workflow_dispatch:
env:
REACT_APP_VERSION: 0.1.0
jobs:
build-and-deploy:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: checkout code
uses: actions/checkout@v3
- name: install node
uses: actions/setup-node@v3
# using later versions of node breaks due to react-scripts v5.0.1 incompatible with typescript v5;
# this specific node version works though
with:
node-version: "16.14.2"
- name: install dependencies
run: npm install
- name: run tests
run: npm run test
- name: get current date
id: date
# pacific time = UTC-7:00
run: echo "REACT_APP_BUILD_DATE=$(date -u +'%m/%d/%Y %H:%M:%SPT' -d '7 hours ago')" >> $GITHUB_ENV
- name: build project
run: npm run build
- name: configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ SECRETS.AWS_GITHUB_ROLE }}
aws-region: us-west-2
- name: deploy to S3 bucket
run: aws s3 sync ./build/ s3://myProject --delete
- name: invalidate cloudfront cache
run: aws cloudfront create-invalidation --distribution-id ${{ SECRETS.AWS_CLOUDFRONT_DIST_ID}} --paths "/*"
This doesn't work
name: deploy
on:
pull_request:
branches:
- main
types: closed
paths-ignore:
- '.github/workflows/**'
env:
REACT_APP_VERSION: 0.1.0
jobs:
build-and-deploy:
runs-on: ubuntu-latest
if: github.event.pull_request.merged == true
permissions:
id-token: write
contents: read
steps:
- name: checkout code
uses: actions/checkout@v3
- name: install node
uses: actions/setup-node@v3
# using later versions of node breaks due to react-scripts v5.0.1 incompatible with typescript v5;
# this specific node version works though
with:
node-version: "16.14.2"
- name: install dependencies
run: npm install
- name: run tests
run: npm run test
- name: get current date
id: date
# pacific time = UTC-7:00
run: echo "REACT_APP_BUILD_DATE=$(date -u +'%m/%d/%Y %H:%M:%SPT' -d '7 hours ago')" >> $GITHUB_ENV
- name: build project
run: npm run build
- name: configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ SECRETS.AWS_GITHUB_ROLE }}
aws-region: us-west-2
- name: deploy to S3 bucket
run: aws s3 sync ./build/ s3://myProject --delete
- name: invalidate cloudfront cache
run: aws cloudfront create-invalidation --distribution-id ${{ SECRETS.AWS_CLOUDFRONT_DIST_ID}} --paths "/*"
Trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<not-sure-if-this-is-sensitive-info>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:myGitHub/myProject:ref:refs/heads/main"
}
}
}
]
}
I tried rerunning the action in debug mode but that did not provide more useful information.
220
asked Oct 19 '25 23:10
Ok, so figured it out. The pull request event uses a different sub, which is "repo:myGitHub/myProject:pull_request". Found this out by setting up AWS ClouldTrail and searched the logs for failed attempts to connect from github.
180
answered Oct 22 '25 13:10
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With