Menu
I'm trying to run a GitHub action to do a DB migration on AWS on staging server.
name: db migration for stg.
on:
push:
branches:
- staging
paths:
- api/db/migrate/**
jobs:
migration:
name: DB Migration
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_STG }}
role-duration-seconds: 1200
aws-region: ap-northeast-1
- uses: ruby/setup-ruby@v1
with:
ruby-version: '2.7.2'
- name: ssh configure
env:
SSH_SECRET_KEY: ${{ secrets.SSH_SECRET_KEY }}
run: |
mkdir -p ~/.ssh && touch ~/.ssh/config
echo 'host i-* mi-*' >> ~/.ssh/config
echo ' ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"' >> ~/.ssh/config
echo $SSH_SECRET_KEY | base64 -d > ~/.ssh/id_rsa2
chmod 0600 ~/.ssh/id_rsa2
- name: db migration
env:
RAILS_ENV: <env>
RAILS_MASTER_KEY: <key>
RDS_HOSTNAME: 127.0.0.1
RDS_DB_NAME: <db_name>
RDS_USERNAME: <username>
RDS_PASSWORD: <password>
RDS_PORT: 9999
STEP_SERVER_ID: <id>
DB_HOST: <host>
working-directory: ./api
run: |
ssh -f -N -L $RDS_PORT:$DB_HOST:3306 -i ~/.ssh/id_rsa2 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ssm-user@$STEP_SERVER_ID
sudo apt-get -yqq install libpq-dev
gem install bundler
bundle install --jobs 4 --retry 3
bundle exec rails db:migrate
What might be the reason im getting this error when running this action? Tried many number of steps to narrow down the reason for the issue, whether its causing by the assumable_role or secret value errors or trust relationships etc.. Can suggest what might be causing this?
Run aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ***
aws-secret-access-key: ***
role-to-assume: ***
role-duration-seconds: 1200
aws-region: ap-northeast-1
Error: User: arn:aws:iam::***:user/github_user is not authorized to perform: sts:TagSession on resource: ***
Policy summary of the github_user
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:*",
"Resource": "*"
}
]
}
740
I figured this out.
The answer is there very subtly in the documentation, but you have to give the user the permission for sts:TagSession and then add that same permission to the permissions policy of the role that you are assuming.
IAM User Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": [
"arn:aws:iam::11111111111:role/RoleToAssume",
]
}
]
}
Trust Relationship on role that is being assumed
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00000000000:user/UserFromAbove"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
answered Sep 15 '25 12:09
I had the following use case.
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
role-duration-seconds: 1200
role-session-name: GithubBuildAndPushImageToECR
role-skip-session-tagging: true
All I had to do was add role-skip-session-tagging: true
The above answers will work only if you are assuming a role through OIDC WedIdentiyy https://github.com/aws-actions/configure-aws-credentials#session-tagging-and-name
Hope this saves someones day , I wasn't that lucky :-P
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
