Description:
During the deployment I have encountered an error stating that the OpenID Connect (OIDC) provider or the IAM role already exists. This issue arose when I have set up the OIDC provider and the IAM role for GitHub Actions manually on AWS, because that is what I have understood is expected and it would not work otherwise.
My steps
I have changed the id
in sst.yml
:
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::[ID]:role/GitHub
aws-region: us-east-1
I have received an error:
GitHub/Resource: Received response status [FAILED] from custom resource. Message returned: EntityAlreadyExistsException: Provider with url https://token.actions.githubusercontent.com/ already exists.
using the initial code inProdStack.ts
:
const provider = new OpenIdConnectProvider(stack, "GitHub", {
url: "https://token.actions.githubusercontent.com",
clientIds: ["sts.amazonaws.com"],
});
new Role(stack, "GitHubActionsRole", {
assumedBy: new OpenIdConnectPrincipal(provider).withConditions({
StringLike: {
"token.actions.githubusercontent.com:sub":
`repo:daohoangson/bubby:*`,
},
}),
description: "Role assumed for deploying from GitHub CI using AWS CDK",
managedPolicies: [
ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess"),
],
roleName: "GitHub",
});
To resolve the error, I have adjusted the code in ProdStack.ts
to use an existing OIDC provider and created a new IAM role:
const existingProviderArn = "arn:aws:iam::[ID]:oidc-provider/token.actions.githubusercontent.com";
const provider = OpenIdConnectProvider.fromOpenIdConnectProviderArn(stack, "GitHub", existingProviderArn);
new Role(stack, "GitHubActionsRole", {
assumedBy: new OpenIdConnectPrincipal(provider).withConditions({
StringLike: {
"token.actions.githubusercontent.com:sub":
`repo:[NAME]/bubby:*`,
},
}),
description: "Role assumed for deploying from GitHub CI using AWS CDK",
managedPolicies: [
ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess"),
],
roleName: "GitHubNew",
});
With adjusted code I have managed to deploy successfully. However, I am just curious what have I done wrong when setting up the app with the initial code. Thanks in advance. PS Might be useful to describe these steps in readme.