Skip to content

Credentials-chaining example in readme doesn't work without role-skip-session-tagging #1396

New issue
New issue
Open
Open
Credentials-chaining example in readme doesn't work without role-skip-session-tagging#1396
Labels
bugSomething isn't workingneeds-triageThis issue still needs to be triaged
@fenderb

Description

@fenderb
fenderb
opened on Jul 2, 2025

Describe the bug

The example of credentials-chaining in the current README doesn't work as-is. If I add role-skip-session-tagging: true it works, but not sure why.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

Secondary role is assumed

Current Behavior

Secondary role fails to assume.

Reproduction Steps

This workflow fails to assume the second role

name: Test AWS AssumeRole Chaining
on:
  push:
permissions:
  id-token: write
  contents: read
jobs:
  test-assume-role-chaining:
    runs-on: ubuntu-latest
    steps:
    - name: Configure AWS Credentials
      uses: aws-actions/[email protected]
      with:
        aws-region: us-west-2
        role-to-assume: arn:aws:iam::111111111111:role/MyOIDCRole
        role-session-name: MySessionName
    - name: Configure other AWS Credentials
      uses: aws-actions/[email protected]
      with:
        aws-region: us-west-2
        role-to-assume: arn:aws:iam::222222222222:role/MyOtherRole
        role-session-name: MySessionName
        role-chaining: true
    - name: Test Credentials
      run: aws sts get-caller-identity

Possible Solution

This workflow correctly assumes the second role now that I have added role-skip-session-tagging: true. I have no idea why this particular setting matters, I discovered it while comparing to another working example from v1

name: Test AWS AssumeRole Chaining
on:
  push:
permissions:
  id-token: write
  contents: read
jobs:
  test-assume-role-chaining:
    runs-on: ubuntu-latest
    steps:
    - name: Configure AWS Credentials
      uses: aws-actions/[email protected]
      with:
        aws-region: us-west-2
        role-to-assume: arn:aws:iam::111111111111:role/MyOIDCRole
        role-session-name: MySessionName
    - name: Configure other AWS Credentials
      uses: aws-actions/[email protected]
      with:
        aws-region: us-west-2
        role-to-assume: arn:aws:iam::222222222222:role/MyOtherRole
        role-session-name: MySessionName
        role-chaining: true
        role-skip-session-tagging: true
    - name: Test Credentials
      run: aws sts get-caller-identity

Additional Information/Context

the README example uses v4.1.0, the behavior in current v4.2.1 is identical

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingneeds-triageThis issue still needs to be triaged

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions