Skip to content

Upgrading from v5 to v6 breaks OIDC role assumption in reusable workflows #1707

Open
Open
Upgrading from v5 to v6 breaks OIDC role assumption in reusable workflows#1707
Labels
bugSomething isn't workingclosing-soonThis issue will automatically close in 2 days unless further comments are made.p1response-requestedWaiting on additional info and feedback. Will move to 'closing-soon' in 5 days.
@pabloinigo

Description

@pabloinigo
pabloinigo
opened on Mar 27, 2026

Description

After upgrading from aws-actions/configure-aws-credentials v5 to v6, OIDC role assumption fails in reusable workflows with the error:

Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

The action retries 12 times with exponential backoff before failing. No changes were made to IAM trust policies or role configurations — the only change was the action version upgrade.

Setup

We use this action inside reusable workflows called from multiple repositories. The calling workflow has:

permissions:
  id-token: write
  contents: read

The reusable workflow invokes the action as:

- uses: aws-actions/configure-aws-credentials@v6
  with:
    role-to-assume: arn:aws:iam::<account-id>:role/<role-name>
    aws-region: eu-west-1
    role-duration-seconds: 3600
    audience: sts.amazonaws.com

Steps to reproduce

  1. Have a working setup using aws-actions/configure-aws-credentials@v5 with OIDC inside a reusable workflow
  2. Upgrade to aws-actions/configure-aws-credentials@v6
  3. Run the workflow — OIDC role assumption fails

Expected behavior

Role assumption via OIDC should work the same as v5 without requiring changes to IAM trust policies.

Actual behavior

The action logs "Assuming role with OIDC" 12 times (retry mechanism) and then fails with:

Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

Logs

2026-03-25T15:54:06.8567018Z Assuming role with OIDC
2026-03-25T15:54:07.2147151Z Assuming role with OIDC
2026-03-25T15:54:07.3317433Z Assuming role with OIDC
... (12 retries with exponential backoff)
2026-03-25T15:56:41.3430774Z ##[error]Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

Environment

  • Runner: ubuntu-24.04
  • Working version: aws-actions/configure-aws-credentials@v5 (node20)
  • Broken version: aws-actions/configure-aws-credentials@v6 (node24)
  • Context: Action is called inside a reusable workflow (uses: org/repo/.github/workflows/plan.yml@tag)

Questions

  1. Did v6 change anything about how the OIDC token is requested or its claims (e.g., sub, aud)?
  2. Are there required changes to IAM trust policies when upgrading from v5 to v6?
  3. Is there a known issue with v6 and reusable workflows specifically?

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingclosing-soonThis issue will automatically close in 2 days unless further comments are made.p1response-requestedWaiting on additional info and feedback. Will move to 'closing-soon' in 5 days.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions