GitHub OIDC assume role fails when limiting S3 bucket resource in IAM policy

[tobiasehlert]

I am trying to authenticate a GitHub Action workflow towards a S3 bucket in my AWS account and most stuff seems to be working, except that I can't limit my IAM policy to only be towards one S3 bucket.

Error from aws-actions/configure-aws-credentials

Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

This is the workflow authentication step:

- name: Configure aws credentials
  uses: aws-actions/configure-aws-credentials@v3
  with:
    aws-region: eu-north-1
    role-to-assume: arn:aws:iam::111111111111:role/GH-my-poc-bucket-role

I set up my stuff with Terraform, similar to this example, but slightly different:
https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/examples/iam-github-oidc/main.tf

This is the trust policy on the GH-my-poc-bucket-role role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GithubOidcAuth",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::111111111111:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:my-organisation/my-poc-bucket-repo:ref:refs/heads/main"
                },
                "ForAllValues:StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
                    "token.actions.githubusercontent.com:iss": "http://token.actions.githubusercontent.com"
                }
            }
        }
    ]
}

Working IAM policy

{
    "Statement": [
        {
            "Action": [
                "s3:PutObject",
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }
    ],
    "Version": "2012-10-17"
}

Failing IAM policy

{
    "Statement": [
        {
            "Action": [
                "s3:PutObject",
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::eu-north-1-111111111111-my-poc-bucket/*",
                "arn:aws:s3:::eu-north-1-111111111111-my-poc-bucket"
            ]
        }
    ],
    "Version": "2012-10-17"
}

Why the heck can't I limit the policy to allow access to only one bucket?

Kind regards,
Tobias

[tobiasehlert]

The run was started from a branch.. so the main reference in the trust policy was the issue to this.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.