Skip to content

unset-current-credentials results in an error #1308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task
jwr0 opened this issue Mar 16, 2025 · 2 comments
Closed
1 task

unset-current-credentials results in an error #1308

jwr0 opened this issue Mar 16, 2025 · 2 comments
Labels
bug Something isn't working p2

Comments

@jwr0
Copy link

jwr0 commented Mar 16, 2025

Describe the bug

If I run this action and assume a role by way of OIDC, the action will set a bunch of AWS_* environment variables. My expectation is that if I run the action again using unset-current-credentials: true it will unset all those environment variables which were created by the first action, leaving the runner without any AWS credentials.

Instead, I'm seeing Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers.

Thanks for all your efforts on this issue in particular, and also on this very useful action in general.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

        # I expect this to populate a bunch of `AWS_` variables, which it does correctly.
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-east-1
          role-to-assume: arn:aws:iam::1234567890:role/my-role

        # I expect this to be able to use the `AWS_` variables, which it does correctly
      - name: Terraform init
        run: terraform init

        # I expect this to be able to use the `AWS_` variables, which it does correctly
      - name: Terraform plan
        id: plan
        run: |
          set +e
          terraform plan -out tf.plan -no-color 2>&1 | tee tf.plan.txt

      # I expect this to wipe the `AWS_` variables, but instead it errors out
      - name: Unset terraform aws credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-east-1
          unset-current-credentials: true

      # This last step and any subsequent step should no longer have any access to AWS credentials
      - name: Some random thing that might be insecure and even if its secure, it doesn't need AWS credentials
        uses: randomperson/we-dont-want-to-trust-this-action-by-some-random-person@v69

Current Behavior

The Unset terraform aws credentials step errors out saying Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers.

Reproduction Steps

The five steps pasted above should be a valid reproduction case, and you don't need to do anything with terraform specifically. You could replace the terraform steps with echo $AWS_... or similar, or omit them entirely.

Possible Solution

I can probably workaround this by just resetting the variables myself, but that's hacky and gross.

- name: Unset the AWS variables
  # Do the same thing as this, but do it manually: https://github.com/aws-actions/configure-aws-credentials/blob/main/src/cleanup/index.ts#L17-L25
  run: |
    echo "AWS_ACCESS_KEY_ID=''" >>"$GITHUB_ENV"
    echo "AWS_SECRET_ACCESS_KEY=''" >>"$GITHUB_ENV"
    echo "AWS_SESSION_TOKEN=''" >>"$GITHUB_ENV"
    echo "AWS_REGION=''" >>"$GITHUB_ENV"
    echo "AWS_DEFAULT_REGION=''" >>"$GITHUB_ENV"

Additional Information/Context

The specific concern is if my workflow generally does something like this:

If step 3 doesn't need credentials anyway, then I don't want step 3 to have access to any credentials.
@jwr0 jwr0 added bug Something isn't working needs-triage This issue still needs to be triaged labels Mar 16, 2025
@lehmanmj lehmanmj added p2 and removed needs-triage This issue still needs to be triaged labels Apr 22, 2025
@lehmanmj
Copy link
Member

Hi @jwr0, thanks for reaching out. The unset-current-credentials flag is intended to reset the environment variables before the action runs to fetch new credentials (to prevent unintended behavior from the existing environment variables).

Manually resetting the environment variables is the correct way to keep subsequent workflow steps from accessing credentials.

@lehmanmj lehmanmj closed this as not planned Won't fix, can't repro, duplicate, stale Apr 22, 2025
@github-actions GitHub Actions
Copy link

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jwr0 @lehmanmj