AWS OIDC keyless

[CoatesCarter]

I use aws-actions/configure-aws-credentials in their preferred method... using "GitHub's OIDC provider in conjunction with a configured AWS IAM Identity Provider endpoint." This method only requires environment variables for works swimmingly when GitHub Actions runs the step on their hosted runners. However, running locally with act produces the following error in the act console output:
"| It looks like you might be trying to authenticate with OIDC. Did you mean to set the id-token permission? If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.
[...] ❗ ::error::Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers
[...] ❌ Failure - Main Configure AWS Credentials "

The relevant parts of the workflow...
env:
AWS_REGION : us-east-1
...
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
...

• name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@v4
  with:
  role-to-assume: arn:aws:iam::_____:role/GitHub-Actions
  aws-region: ${{ env.AWS_REGION }}

The IAM Identity Provider, OIDC, is:
token.actions.githubusercontent.com with audience sts.amazonaws.com

I may be confused about this, but it seems that even when the workflow is running locally through act, it is still running the same GitHub Actions code as it does when running on a GitHub hosted runner. So, the credential request to AWS should still be coming via/from token.actions.githubusercontent.com, right? The error message seems to suggest that it wants IAM user access key inputs, like AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY, which aren't needed for this method and aren't needed when running from GitHub Actions. Hopefully I've just overlooked something small. Help appreciated.

[ChristopherHX]

So, the credential request to AWS should still be coming via/from token.actions.githubusercontent.com, right?

That's impossible, because only GitHub Actions from github.com can sign the token (It's all about security, not everyone should access your aws). A self-hosted runner can also make use of the github.com token, when called by GitHub Actions services to run a job

Additionally nektos/act doesn't implement it's own oidc tokens. (needs to change the jwk endpoint)

[CoatesCarter]

I haven't studied the nektos/act code to see how exactly it does what it does, and the readme doesn't explain either... hence the question. For all one may know, nektos/act interacts with GitHub.com to sign the token, but based on your reply, that's clearly not the case. Thank you for clearing that up.

And the second part of your reply suggests that nektos/act is not yet able to authenticate in this keyless, role-to-assume method. Is that correct?

[anthonyma94]

Sorry for necro-ing, is it impossible to use act runner for AWS related actions if I wanted to use the OIDC auth method?

[johnjeffers]

It's not impossible. You need to configure your IAM role's trust policy to allow a principal other than Github to assume the role.

For example, you need something like this for Github to be able to assume the IAM role via OIDC:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:my-org/my-repo:*"
                }
            }
        }
    ]
}

You'd have to add another statement block to that trust policy to allow you to assume the role when invoking the workflow with act.

        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:root" <-- This will work but is probably too permissive. Should be scoped down to a particular role or user.
                ]
            },
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ]
        }

And, of course, your local user identity (the thing you get back from aws sts get-caller-identity) would also need permissions to assume the role.

[theist]

Thanks @johnjeffers that's a good lead but still fails, I think because act does not have access to my credentials.

[CI/CD Pipeline/test]   🐳  docker exec cmd=[/opt/acttoolcache/node/24.14.0/x64/bin/node /var/run/act/actions/aws-actions-configure-aws-credentials@v4/dist/index.js] user= workdir=
| It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission? If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.
[CI/CD Pipeline/test]   ❗  ::error::Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers
[CI/CD Pipeline/test]   ❌  Failure - Main AWS OIDC Login [2.614175435s]
[CI/CD Pipeline/test]   ⚙  ::set-env:: AWS_REGION=eu-west-3
[CI/CD Pipeline/test]   ⚙  ::set-env:: AWS_DEFAULT_REGION=eu-west-3
[CI/CD Pipeline/test] exitcode '1': failure

And post action

[CI/CD Pipeline/test] ⭐ Run Post AWS OIDC Login
[CI/CD Pipeline/test]   🐳  docker exec cmd=[/opt/acttoolcache/node/24.14.0/x64/bin/node /var/run/act/actions/aws-actions-configure-aws-credentials@v4/dist/cleanup/index.js] user= workdir=
[CI/CD Pipeline/test]   ✅  Success - Post AWS OIDC Login [190.372851ms]
[CI/CD Pipeline/test]   ⚙  ::set-env:: AWS_ACCESS_KEY_ID=
[CI/CD Pipeline/test]   ⚙  ::set-env:: AWS_SECRET_ACCESS_KEY=
[CI/CD Pipeline/test]   ⚙  ::set-env:: AWS_SESSION_TOKEN=
[CI/CD Pipeline/test]   ⚙  ::set-env:: AWS_DEFAULT_REGION=
[CI/CD Pipeline/test]   ⚙  ::set-env:: AWS_REGION=

Credentials are empty in the output, not redacted

I've added the block you suggest which clearly will allow any AWS user to assume same role as the github actions. I've checked if my user can assume the actions role outside act and it can

$ aws sts assume-role --role-arn arn:aws:iam::************:role/GithubActionsRole --role-session-name test
{
    "Credentials": {
        "AccessKeyId": "***************************",
        "SecretAccessKey": "**************************************",
        "SessionToken": "***************************************",
        "Expiration": "2026-03-06T11:21:38+00:00"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "***************:test",
        "Arn": "arn:aws:sts::**************:assumed-role/GithubActionsRole/test"
    }
}

So my guess is that act cannot access my creds but will be able to simulate oidc login if it had access to my creds

[theist]

Found it! or at least if worked for me:

You have to configure OIDC role as in the superb answer by @johnjeffers (#2029 (reply in thread)) AND also pass your personal or some specific credentials in a file using either --env or --env-file as

AWS_ACCESS_KEY_ID=AKIA*******************
AWS_SECRET_ACCESS_KEY=***********************

Your user or the user created for act must have permissions to asume the github actions role