Can't access OIDC token from github workflow in one runner but not the other

Question

I'm trying to get my Github workflows running on self-hosted runners. I've got the self-hosted runner installed on two computers:

• Macbook Pro
• Ubuntu desktop

The Macbook pro runner works fine, but the Ubuntu runner fail at this step:

- name: Assume role using OIDC
  uses: aws-actions/configure-aws-credentials@master
  with:
    role-to-assume: arn:aws:iam::123456789012:role/github-connection-role
    aws-region: us-west-2

With this error:

Error: The security token included in the request is invalid.

For more context, here's the entire workflow

name: Deploy
on:
  push:
    branches:
      - main

jobs:
  ci:
    name: Build and deploy with Node 16
    timeout-minutes: 60
    runs-on: self-hosted

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Use Node.js 16
        uses: actions/setup-node@v3
        with:
          node-version: 16
          cache: 'npm'
          cache-dependency-path: package-lock.json

      - name: Install dependencies
        run: npm install

      - name: Build
        run: npm run build

      - name: Assume role using OIDC
        uses: aws-actions/configure-aws-credentials@master
        with:
          role-to-assume: arn:aws:iam::123456789012:role/github-connection-role
          aws-region: us-west-2

      - name: Deploy
        run: npx cdk deploy app-production-stack --ci --require-approval never

Is there something I need to configure on the runner host before it can access security tokens in running jobs?

Answer 1

The issue ended up being that my Ubuntu computer was configured with expired AWS credentials. I assumed the host AWS wasn't used by the runner. I was able to fix the issue by updating the Ubuntu ~/.aws/credentials file to include a default profile that has permission to assume my github-connection-role role.