Bootcamp Week 2 Assignment section with GitHub Action

So I managed to find the problem with the OIDC- I made a bloggy-type post which I forgot I didn't put on earlier!! 🤦🏼‍♂️

The AWS IAM role wasn't properly configured to trust GitHub Actions as an OIDC provider. Then I realised that I needed to change the AWS region code to eu-west-1 (Ireland) for it to work! Then that was done and I was holding my breathe that it would all work well enough to not get an email! So far so good!

Or was it? In a word, no. What had happened is when the actions tried to configure with the AWS credentials and assume a role using OIDC, it wouldn't allow it as it wasn't authorised. Cue the deep dive in the AWS IAM OIDC whitepapers, GitHubActions Documentation and a keep on trucking attitude which was tested quite a lot!!!!!!!

So I had some food and thought about things… I have done something wrong somewhere. This is the essence of DevOps, isn't it? Doing something then seeing it fail and then finding out why it didn't deploy??? Yes. I do think it is. I have heard from various sources (and read Medium regularly..) that if you get it right the first time then there is something wrong or you have not done enough and the output is only "Hello, World"!!

Anyway! I went back to the drawing board and had a decent scour of the code, the IAM role and policies I had put in place to allow access and found that I might have to do something a bit different. I made a new branch gh-pages, and then sent the .yaml code to deploy there, rather than from the main. I have now got two branches, and this is the result! I got it to work! Wahoo and all the joy!

But wait! This is only on the gh-pages branch! What about the main branch and the sts:AssumeRoleWithWebIdentity error I had been having?

Yeah it hadn't changed that part! :-(

So I had another re-scour of the IAM Roles, policies, then asked the wonderful people in Cloud Talents what could be the problem? Anoop suggested that I have a look at the GitHub Org and repo name but I could see that it was all ok. I was going to even make a new IAM Role and discard the previous one but held off doing that for the time being.

With the ideas from the Cloud Talent crew (you know you guys are awesome right???) I looked more closely at the permissions and the role policies and saw:

I had made a typo🤦🏼‍♂️

Two letters around the wrong way. A week (and a bit more perhaps….) of scratching my head (I was going to wear away the hair I have with the way things were going😅.) and I figured it out!!! So pleased with myself, but also annoyed as it could have been solved, or rather not needed to be solved!!!

Anyway, I have sorted it out so now I will reel onto the next section of errors for the CloudFront Cache invalidation that I have heard/read so many people have fun with! It is a good thing that we have so many (Cloud)talents here in the group!!!! 🙌

6 comments