Skip to content

Output aws-account-id incorrect for chained role #1578

New issue
New issue
Open
Open
Output aws-account-id incorrect for chained role#1578
Labels
bugSomething isn't workingneeds-triageThis issue still needs to be triaged
@andrew-wiggins

Description

@andrew-wiggins
andrew-wiggins
opened on Dec 3, 2025

Describe the bug

Similar issue to #911

We're seeing an issue where the output value of aws-account-id for the chained account that's assumed is incorrectly set to the value of the first account.

- name: Assume Hub Role
  id: assume-hub
  uses: aws-actions/configure-aws-credentials@v5
  with:
    role-to-assume: ${{ vars.IAM_ROLE_HUB }} # <---- 111111111111
    aws-region: ca-central-1
    role-skip-session-tagging: true

- name: Assume Spoke Role
  id: assume-spoke
  uses: aws-actions/configure-aws-credentials@v5
  with:
    role-to-assume: ${{ vars.IAM_ROLE_SPOKE }} # <---- 222222222222
    aws-region: ca-central-1
    role-chaining: true
    role-skip-session-tagging: true
    mask-aws-account-id: false

- name: Debug build spoke identity
  run: |
    echo "ASSUME_SPOKE_ACCOUNT=${{ steps.assume-spoke.outputs.aws-account-id }}" # <---- 111111111111
    aws sts get-caller-identity # <---- 222222222222

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

We'd expect that the aws-account-id output for the second assumed role ("spoke" in the above example) would be the account id of the assumed role.

- name: Debug build spoke identity
  run: |
    echo "ASSUME_SPOKE_ACCOUNT=${{ steps.assume-spoke.outputs.aws-account-id }}" # <---- 222222222222
    aws sts get-caller-identity # <---- 222222222222

Current Behavior

We see that the aws-account-id output for the second assume role ("spoke" in the above example) is being set to the account id of the originally assumed role ("hub" in the above example)

Reproduction Steps

name: Output Test

on:
  push:

jobs:
  build:
    name: Test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Assume Hub Role
        id: assume-hub
        uses: aws-actions/configure-aws-credentials@v5
        with:
          role-to-assume: ${{ vars.IAM_ROLE_HUB }} # <---- 111111111111
          aws-region: ca-central-1
          role-skip-session-tagging: true

      - name: Assume Spoke Role
        id: assume-spoke
        uses: aws-actions/configure-aws-credentials@v5
        with:
          role-to-assume: ${{ vars.IAM_ROLE_SPOKE }} # <---- 222222222222
          aws-region: ca-central-1
          role-chaining: true
          role-skip-session-tagging: true
          mask-aws-account-id: false

      - name: Debug build spoke identity
        run: |
          echo "ASSUME_SPOKE_ACCOUNT=${{ steps.assume-spoke.outputs.aws-account-id }}"
          aws sts get-caller-identity

Possible Solution

It could be an issue where the STS client needs to be cleared when we're assuming a chained role. Sometime before this happens we should reset the STS credentials I think.

Additional Information/Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingneeds-triageThis issue still needs to be triaged

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions