Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Classic S3 Upload Task fails when using Service Connection configured to use OIDC authentication #565

Open
swansonaj opened this issue Aug 30, 2024 · 2 comments
Labels
needs-response Waiting on additional info and feedback from GitHub community.

Comments

@swansonaj
Copy link

Describe the bug
Many of our customer still use Classic Azure DevOps pipelines (as opposed to YAML pipelines) and therefore the classic tasks that come with the AWS Toolkit for Azure DevOps are also used. While trying a conversion of one of these pipelines to use a Service Connection with OIDC authentication enabled I can't seem to get past the following error: "Failed to assume role with OIDC: Error: System.AccessToken is undefined."

Here's a log excerpt with error in context:

Content uploads are performed using S3's PutObject API and/or the multi-part upload APIs. The specific APIs used depend on the size of the individual files being uploaded.
2024-08-30T20:12:30.8854418Z ==============================================================================
2024-08-30T20:12:31.5474060Z Configuring credentials for task
2024-08-30T20:12:31.5480739Z ...configuring AWS credentials from service endpoint '7e45a58e-redacted'
2024-08-30T20:12:31.5480974Z Skipping Instance profile, we have OIDC enabled
2024-08-30T20:12:31.5491876Z ...configuring AWS credentials from service endpoint '7e45a58e-redacted'
2024-08-30T20:12:31.5493003Z Getting OIDC Token...
2024-08-30T20:12:31.5499826Z Failed to assume role with OIDC: Error: System.AccessToken is undefined
.
.
.

To reproduce

  1. Create an AWS Service Connection with "Use OIDC" enabled
  2. Create a classic Azure DevOps pipeline with an S3 Upload task in it and configure that task to use the service connection from step 1
  3. Run the pipeline it will fail

Expected behavior
The S3 Upload task should work

Screenshots

2024-08-30 16-05-42_cfn-poc-cfn-release - Release-7 - Pipelines

Your Environment

  • On-prem or cloud based?: Cloud
  • Azure DevOps version: Whatever version is used in the cloud
  • AWS Toolkit for Azure DevOps version: 1.15.0 (Latest)

Additional context
I tried the S3 Upload tasks using a YAML pipeline (same service connection and target S3 bucket) and it worked!

@shillam
Copy link

shillam commented Oct 16, 2024

Same issue here with ECR Push Image:

Getting OIDC Token...
Failed to assume role with OIDC: Error: System.AccessToken is undefined

@hayemaxi hayemaxi added needs-response Waiting on additional info and feedback from GitHub community. and removed needs-repro labels Dec 4, 2024
@hayemaxi
Copy link
Contributor

hayemaxi commented Dec 4, 2024

Please let us know if you still have this error after enabling OAuth Tokens in your pipeline.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-response Waiting on additional info and feedback from GitHub community.
Projects
None yet
Development

No branches or pull requests

3 participants