From 9bacbd526377ca69f5f9bf912703176b3cf65e12 Mon Sep 17 00:00:00 2001 From: Kouji Takao Date: Sat, 20 Sep 2025 19:22:04 +0900 Subject: [PATCH 1/2] fix: correct OIDC trust relationship and improve troubleshooting MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix the IAM role trust relationship to properly support both main branch pushes and pull request events. The previous configuration was too restrictive and only allowed main branch access. Changes: - Update trust relationship to include pull_request events - Fix Action from sts:AssumeRole to sts:AssumeRoleWithWebIdentity - Add comprehensive troubleshooting section to OIDC_SETUP.md - Include debug commands for common OIDC issues Root cause of deployment failure: - Trust policy was missing pull_request condition - Action type was incorrect for OIDC authentication This fix enables GitHub Actions to authenticate via OIDC for both main branch deployments and pull request validation. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- OIDC_SETUP.md | 46 ++++++++++++++++++++++++++++++++++++++----- trust-policy-fix.json | 23 ++++++++++++++++++++++ 2 files changed, 64 insertions(+), 5 deletions(-) create mode 100644 trust-policy-fix.json diff --git a/OIDC_SETUP.md b/OIDC_SETUP.md index 625ccf9..0f12fba 100644 --- a/OIDC_SETUP.md +++ b/OIDC_SETUP.md @@ -43,13 +43,16 @@ GitHub ActionsからAWSリソースにアクセスする際、従来のIAMユー "Principal": { "Federated": "arn:aws:iam::007325983811:oidc-provider/token.actions.githubusercontent.com" }, - "Action": "sts:AssumeRole", + "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" }, "StringLike": { - "token.actions.githubusercontent.com:sub": "repo:smalruby/smalruby-infra:ref:refs/heads/main" + "token.actions.githubusercontent.com:sub": [ + "repo:smalruby/smalruby-infra:ref:refs/heads/main", + "repo:smalruby/smalruby-infra:pull_request" + ] } } } @@ -218,9 +221,22 @@ GitHub Actions実行ログで以下を確認: ## トラブルシューティング -### エラー例1: "AssumeRoleFailure" +### エラー例1: "Not authorized to perform sts:AssumeRoleWithWebIdentity" **原因**: 信頼関係の設定が正しくない -**対処**: ロールの信頼関係でリポジトリ名・ブランチ名を確認 +**主な問題**: +- Actionが `sts:AssumeRole` になっている(正:`sts:AssumeRoleWithWebIdentity`) +- 条件でpull_requestが許可されていない +- リポジトリ名・ブランチ名の誤り + +**対処法**: +1. IAMロールの信頼関係を確認 +2. `"Action": "sts:AssumeRoleWithWebIdentity"` になっているか確認 +3. 条件に `"repo:smalruby/smalruby-infra:pull_request"` が含まれているか確認 + +**修正コマンド**: +```bash +aws iam update-assume-role-policy --role-name GitHubActions-smalruby-infra-deploy --policy-document file://trust-policy.json +``` ### エラー例2: "Access Denied" **原因**: ロールに必要な権限がない @@ -228,4 +244,24 @@ GitHub Actions実行ログで以下を確認: ### エラー例3: "Invalid identity token" **原因**: GitHub Actionsの設定が正しくない -**対処**: `permissions`セクションに`id-token: write`があるか確認 \ No newline at end of file +**対処**: `permissions`セクションに`id-token: write`があるか確認 + +### エラー例4: "OIDC Provider not found" +**原因**: OIDC Identity Providerが作成されていない +**対処**: 手順1.2に従ってOIDC Providerを作成 + +### デバッグ手順 +1. **OIDC Provider確認**: + ```bash + aws iam list-open-id-connect-providers + ``` + +2. **ロール存在確認**: + ```bash + aws iam get-role --role-name GitHubActions-smalruby-infra-deploy + ``` + +3. **信頼関係確認**: + ```bash + aws iam get-role --role-name GitHubActions-smalruby-infra-deploy --query 'Role.AssumeRolePolicyDocument' + ``` \ No newline at end of file diff --git a/trust-policy-fix.json b/trust-policy-fix.json new file mode 100644 index 0000000..fb0c494 --- /dev/null +++ b/trust-policy-fix.json @@ -0,0 +1,23 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::007325983811:oidc-provider/token.actions.githubusercontent.com" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" + }, + "StringLike": { + "token.actions.githubusercontent.com:sub": [ + "repo:smalruby/smalruby-infra:ref:refs/heads/main", + "repo:smalruby/smalruby-infra:pull_request" + ] + } + } + } + ] +} \ No newline at end of file From b64a4ccec5d38e49b43392e050d0f30a3455cf84 Mon Sep 17 00:00:00 2001 From: Kouji Takao Date: Sat, 20 Sep 2025 21:36:37 +0900 Subject: [PATCH 2/2] docs: finalize OIDC setup documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update OIDC setup documentation to reflect the final working configuration: - Update trust relationship to use wildcard pattern: repo:smalruby/smalruby-infra:* - Remove temporary JSON files and related troubleshooting references - Replace CLI commands with AWS Console instructions for better usability - Simplify troubleshooting section to focus on essential steps Final configuration: - Trust relationship allows all repository events (*) - Comprehensive IAM permissions for CloudFormation, Lambda, API Gateway, S3, IAM - Secure OIDC authentication with automatic token rotation The configuration has been tested and confirmed working for automatic deployment. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- OIDC_SETUP.md | 41 +++++++++++++---------------------------- trust-policy-fix.json | 23 ----------------------- 2 files changed, 13 insertions(+), 51 deletions(-) delete mode 100644 trust-policy-fix.json diff --git a/OIDC_SETUP.md b/OIDC_SETUP.md index 0f12fba..06260a2 100644 --- a/OIDC_SETUP.md +++ b/OIDC_SETUP.md @@ -41,7 +41,7 @@ GitHub ActionsからAWSリソースにアクセスする際、従来のIAMユー { "Effect": "Allow", "Principal": { - "Federated": "arn:aws:iam::007325983811:oidc-provider/token.actions.githubusercontent.com" + "Federated": "arn:aws:iam:::oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { @@ -49,10 +49,7 @@ GitHub ActionsからAWSリソースにアクセスする際、従来のIAMユー "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" }, "StringLike": { - "token.actions.githubusercontent.com:sub": [ - "repo:smalruby/smalruby-infra:ref:refs/heads/main", - "repo:smalruby/smalruby-infra:pull_request" - ] + "token.actions.githubusercontent.com:sub": "repo:smalruby/smalruby-infra:*" } } } @@ -60,7 +57,7 @@ GitHub ActionsからAWSリソースにアクセスする際、従来のIAMユー } ``` -**重要**: `007325983811` は実際のAWSアカウントIDに置き換えてください。 +**重要**: `` は実際のAWSアカウントIDに置き換えてください。 ### 2.3 権限ポリシーの追加 デプロイに必要な権限を持つポリシーを添付します: @@ -192,9 +189,9 @@ GitHub ActionsからAWSリソースにアクセスする際、従来のIAMユー | Secret名 | 値 | 説明 | |----------|---|------| -| `AWS_ROLE_ARN` | `arn:aws:iam::007325983811:role/GitHubActions-smalruby-infra-deploy` | 作成したIAMロールのARN | +| `AWS_ROLE_ARN` | `arn:aws:iam:::role/GitHubActions-smalruby-infra-deploy` | 作成したIAMロールのARN | -**注意**: `007325983811` は実際のAWSアカウントIDに置き換えてください。 +**注意**: `` は実際のAWSアカウントIDに置き換えてください。 ### 3.3 従来のSecretsの削除(推奨) OIDCが正常に動作することを確認後、以下の従来のSecretsは削除できます: @@ -225,18 +222,16 @@ GitHub Actions実行ログで以下を確認: **原因**: 信頼関係の設定が正しくない **主な問題**: - Actionが `sts:AssumeRole` になっている(正:`sts:AssumeRoleWithWebIdentity`) -- 条件でpull_requestが許可されていない +- 条件が厳しすぎる(推奨:`repo:smalruby/smalruby-infra:*`) - リポジトリ名・ブランチ名の誤り **対処法**: 1. IAMロールの信頼関係を確認 2. `"Action": "sts:AssumeRoleWithWebIdentity"` になっているか確認 -3. 条件に `"repo:smalruby/smalruby-infra:pull_request"` が含まれているか確認 +3. 条件が `"repo:smalruby/smalruby-infra:*"` になっているか確認 -**修正コマンド**: -```bash -aws iam update-assume-role-policy --role-name GitHubActions-smalruby-infra-deploy --policy-document file://trust-policy.json -``` +**修正方法**: +AWSマネジメントコンソールのIAM → Roles → GitHubActions-smalruby-infra-deploy → Trust relationships タブで信頼関係を編集してください。 ### エラー例2: "Access Denied" **原因**: ロールに必要な権限がない @@ -251,17 +246,7 @@ aws iam update-assume-role-policy --role-name GitHubActions-smalruby-infra-deplo **対処**: 手順1.2に従ってOIDC Providerを作成 ### デバッグ手順 -1. **OIDC Provider確認**: - ```bash - aws iam list-open-id-connect-providers - ``` - -2. **ロール存在確認**: - ```bash - aws iam get-role --role-name GitHubActions-smalruby-infra-deploy - ``` - -3. **信頼関係確認**: - ```bash - aws iam get-role --role-name GitHubActions-smalruby-infra-deploy --query 'Role.AssumeRolePolicyDocument' - ``` \ No newline at end of file +1. **OIDC Provider確認**: AWSマネジメントコンソール → IAM → Identity providers で確認 +2. **ロール存在確認**: AWSマネジメントコンソール → IAM → Roles で「GitHubActions-smalruby-infra-deploy」を検索 +3. **信頼関係確認**: 該当ロールの Trust relationships タブで設定内容を確認 +4. **権限確認**: 該当ロールの Permissions タブで必要なポリシーが添付されているか確認 diff --git a/trust-policy-fix.json b/trust-policy-fix.json deleted file mode 100644 index fb0c494..0000000 --- a/trust-policy-fix.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam::007325983811:oidc-provider/token.actions.githubusercontent.com" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" - }, - "StringLike": { - "token.actions.githubusercontent.com:sub": [ - "repo:smalruby/smalruby-infra:ref:refs/heads/main", - "repo:smalruby/smalruby-infra:pull_request" - ] - } - } - } - ] -} \ No newline at end of file