V3 breaks by somehow assuming the use of OIDC

[Neurrone]

Describe the bug

The action fails and somehow assumes the use of OIDC, even though it wasn't being used / configured.

Expected Behavior

No breakage when updating to V3

Current Behavior

Action fails with the following error:

It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?
Error: Could not determine how to assume credentials. Please check your inputs and try again.

Reproduction Steps

    - name: Assume deployment role
      uses: aws-actions/configure-aws-credentials@v3
      with:
        aws-region: ${{ env.AWS_REGION }}
        role-to-assume: ${{ env.DEPLOYER_ROLE_ARN }}
        role-skip-session-tagging: true
        role-duration-seconds: 1800
        role-external-id: ${{ env._EXTERNAL_ID }}

Possible Solution

No response

Additional Information/Context

No response

[peterwoodworth]

If you aren't intending to use OIDC then what are you attempting to use? The set of inputs you have here indicate you want to use OIDC https://github.com/aws-actions/configure-aws-credentials#using-this-action, this hasn't changed from v2, are you trying to use credentials that exist in your runner already?

[Neurrone]

I'm Assuming Role using existing credentials.

It worked for me in v2, so I was surprised when the v3 update broke this. Was the usage of the workflow for my use case using the wrong parameters?

[peterwoodworth]

The way v2 used existing credentials was inconsistent depending on certain ways the workflow was setup - I honestly didn't know the setup you have was valid in v2 as it was undocumented, and since I've taken over I don't think I've seen anyone have a setup like this that worked. So, I didn't consider this case for v3 when it was necessary to rewrite the logic. I'd like v3 to be fully backwards compatible, so I'll see if I can smoothly fit this use case back in tomorrow. Until then, you could continue using v2, or you can set the role-chaining prop to true to indicate you want to use the variables already present in your runner

[aballman]

I'm having the same issue. My scenario is self-hosted runners in EKS with IRSA. I have no need for the Github OIDC endpoint. My configuration worked great in v2 but now breaks in v3.

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v3
        with:
          aws-region: 
          role-to-assume: 
          role-duration-seconds: 
          role-session-name: 

It looks like you might be trying to authenticate with OIDC. Did you mean to set the id-token permission?
Error: Could not determine how to assume credentials. Please check your inputs and try again.

edit: role-chaining prop fixed me up

[github-actions]

** Note **
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.