Bug: Use-STSWebIdentityRole Returns No Credentials in PowerShell (Only Expiration field is Returned)

[dotNetNaji]

Describe the bug

Issue Description: I am encountering an issue with the Use-STSRoleWithWebIdentity cmdlet in AWS Tools for PowerShell when running it in a Bitbucket Pipeline. The cmdlet returns an object that contains ONLY the Expiration value. The AWS CLI, using the same parameters (role ARN, web identity token, session name, etc.), works as expected and returns the full credentials (AccessKeyId, SecretAccessKey, and SessionToken).

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

The Use-STSRoleWithWebIdentity cmdlet should return the full credentials (similar to the AWS CLI), including the AccessKeyId, SecretAccessKey, and SessionToken.

Current Behavior

The Credentials object in the response contains only the Expiration field.
No errors or exceptions are thrown, but the complete credentials are missing from the response.

Reproduction Steps

Environment:
Bitbucket Pipeline (using mcr.microsoft.com/dotnet/sdk:8.0 image)
AWS Tools for PowerShell version: 4.1.680
PowerShell version: 7.5.4
AWS region: eu-west-1

PowerShell Code: (Running inside a bitbucket pipeline)

$stsResponse = Use-STSRoleWithWebIdentity `
        -RoleArn $env:PIPELINE_ROLE_ARN `
        -RoleSessionName "build-session" `
        -WebIdentityToken $env:BITBUCKET_STEP_OIDC_TOKEN `
        -DurationSeconds 3600

    # Output response to verify
    $stsResponse | ConvertTo-Json -Depth 10 | Write-Host

Output :

{
  "Expiration": "2024-10-18T20:27:47+00:00"
}

AWS CLI Command (Works as expected):

aws sts assume-role-with-web-identity \
      --role-arn $PIPELINE_ROLE_ARN \
      --role-session-name session-name \
      --web-identity-token $BITBUCKET_STEP_OIDC_TOKEN \
      --duration-seconds 3600

CLI output

{
  "Credentials": {
    "AccessKeyId": "AKIA...",
    "SecretAccessKey": "wJalrX...",
    "SessionToken": "IQoJb...",
    "Expiration": "2024-10-18T20:27:47+00:00"
  },
  "AssumedRoleUser": {
    "AssumedRoleId": "AROAXXXXXXXXXXXX:build-session",
    "Arn": "arn:aws:sts::XXXXXXXXXX:assumed-role/my-role/build-session"
  }
}

Possible Solution

No response

Additional Information/Context

Bitbucket Pipelines OIDC is configured correctly as the AWS CLI works without issue.
No errors or exceptions are thrown in PowerShell; it simply returns an object with only Expiration field.

AWS Tools for PowerShell version used

Name : AWS.Tools.Common
Version : 4.1.680

Name : AWS.Tools.SecurityToken
Version : 4.1.680

PowerShell version used

Major : 7
Minor : 4
Patch : 5
PreReleaseLabel :
BuildLabel :

Operating System and version

Ubuntu

[bhoradc]

Hello @dotNetNaji,

Thank you for reporting this issue. It appears that you are using a custom cmdlet Use-STSRoleWithWebIdentity?

Use-STSRoleWithWebIdentity doesn't seem a cmdlet provided by the AWS Tools for PowerShell. The official cmdlet for assuming a role with web identity credentials is Use-STSWebIdentityRole, which is part of the AWS.Tools.SecurityToken module within the AWS Tools for PowerShell package.

Can you please confirm if you are experiencing similar issue when using the Use-STSWebIdentityRole cmdlet. This should call the AWS STS AssumeRoleWithWebIdentity API operation.

In this case, I am unsure why Use-STSRoleWithWebIdentity would return a null response. However, if you continue to experience issues with the official Use-STSWebIdentityRole cmdlet, please let us know.

Regards,
Chaitanya

[dotNetNaji]

Hello @bhoradc,

I can confirm that I'm facing the same issue with Use-STSWebIdentityRole cmdlet.

[dotNetNaji]

Hello @bhoradc, any updates on this ?

[ashishdhingra]

Hello @bhoradc, any updates on this ?

@dotNetNaji I will try to review this tomorrow and discuss with the team accordingly.

[ashishdhingra]

Assuming that the IAM Identity Provider is setup properly and we have access to Web identity Token (JWT), Use-STSWebIdentityRole does return temporary credentials. Below are the steps to reproduce and the reason why by default, only Expiration field is returned.

STEPS:
For testing purposes, we would use GitHub OpenId Connect

• Follow steps at Configuring OpenID Connect in Amazon Web Services to configure GitHub Identity Provider in IAM (refer section Adding the identity provider to AWS and AWS documentation):

  • For the provider URL: Use https://token.actions.githubusercontent.com
  • For the "Audience": Use sts.amazonaws.com

• Create an IAM role named TestGitHubOIDCS3ReadOnlyRole (while creation of role, select trusted entity type as Web identity and select Identity provider created in previous step). For testing purposes, it should have AmazonS3ReadOnlyAccess permission and below trust relationship (replace <<ACCOUNT_ID>> and <<REPO_NAME>> with appropriate value):

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Principal": {
                  "Federated": "arn:aws:iam::<<ACCOUNT_ID>>:oidc-provider/token.actions.githubusercontent.com"
              },
              "Action": "sts:AssumeRoleWithWebIdentity",
              "Condition": {
                  "StringEquals": {
                      "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                  },
                  "StringLike": {
                      "token.actions.githubusercontent.com:sub": "repo:<<REPO_NAME>>/*"
                  }
              }
          }
      ]
  }

• Assuming that we have GitHub account and a test repository, create a below GitHub workflow with file named GitHubScriptOpenIdTest.yml in .github/workflows folder:

  name: execme
  on:
    workflow_dispatch:
  
  jobs:
    execme:
      runs-on: ubuntu-latest
      permissions:
        id-token: write
      steps:
      - name: Fetch GitHub ID Token
        uses: actions/github-script@v7
        with:
          script: |
            const idToken = await core.getIDToken('sts.amazonaws.com');
            console.log(idToken);
            console.log(idToken.length);
            core.exportVariable('GITHUB_IDTOKEN', idToken);
      - name: Echo GitHub ID Token
        run: echo "$GITHUB_IDTOKEN" | sed 's/./& /g'

  IMPORTANT NOTE: Use step Echo GitHub ID Token for testing purposes only. It would output GitHub Web Identity token with space between characters. It would be a security risk to expose token in workflow execution logs.

• Manually execute the GitHub workflow. This would output GitHub Web Identity token with space between characters.

• From GitHub workflow execution logs, copy the Web Identity token (with spaces) to a text editor. Replace space character with blank value ``. This is the Web identity token we would use for testing purposes.

• Open PowerShell prompt:

  • Install PowerShell module AWS.Tools.SecurityToken by executing command Install-AWSToolsModule AWS.Tools.SecurityToken -Cleanup (-Cleanup parameter will ensure to uninstall existing old version)

  • Execute the below PowerShell CmdLet using Web Identity Token retrieved in previous steps:

    $response = Use-STSWebIdentityRole -RoleArn arn:aws:iam::<<ACCOUNT_ID>>:role/TestGitHubOIDCS3ReadOnlyRole -RoleSessionName TestGitHubOidc -Duration 900 -WebIdentityToken <<WEB_IDENTITY_TOKEN>> -Select *

    Notice the use of -Select *. This overrides the default -Select delegate.

  • $response has properties in addition to Credentials property (which has temporary session credentials).

    AssumedRoleUser             : Amazon.SecurityToken.Model.AssumedRoleUser
    Audience                    : sts.amazonaws.com
    Credentials                 : Amazon.SecurityToken.Model.Credentials
    PackedPolicySize            : 0
    Provider                    : arn:aws:iam::<<ACCOUNT-ID>>:oidc-provider/token.actions.githubusercontent.com
    SourceIdentity              :
    SubjectFromWebIdentityToken : repo:<<REPO_NAME>>:ref:refs/heads/main

ROOT CAUSE:

• By default, Use-STSWebIdentityRole has Select delegate set to return AWSWebIdentityCredentials (this is also called out in API documentation for this CmdLet that it outputs Amazon.PowerShell.Common.AWSWebIdentityCredentials or Amazon.SecurityToken.Model.AssumeRoleWithWebIdentityResponse)
• AWSWebIdentityCredentials is a class that resides in AWS.Tools.Common module. This class inherits from Amazon.Runtime.SessionAWSCredentials and only exposes Expiration.

@dotNetNaji Since AWSWebIdentityCredentials class inherits from Amazon.Runtime.SessionAWSCredentials, this class could be used in places where credentials need to be used. So assuming that we are using Use-STSWebIdentityRole as below (without specifying -Select *):

$response = Use-STSWebIdentityRole -RoleArn arn:aws:iam::<<ACCOUNT_ID>>:role/TestGitHubOIDCS3ReadOnlyRole -RoleSessionName TestGitHubOidc -Duration 900 -WebIdentityToken <<WEB_IDENTITY_TOKEN>>

The temporary session credentials could be accessed in PowerShell as below:

$response.GetCredentials()

This returns the below output:

AccessKey : <<ACCESS_KEY>>
SecretKey : <<SECRET_KEY>>
Token     : <<SESSION_TOKEN>>
UseToken  : True
AccountId :

Hope this helps.

Thanks,
Ashish

[github-actions]

This issue has not received a response in 5 days. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.

[dotNetNaji]

Thank @ashishdhingra !
That was it !

The -Select * solved my issue !

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.