IAM ODIC attaching existing role

That's an expected behavior. When you want to configure an existing role to be assumable by the OIDC federation provider, you just need to allow it on the role trust policy. So, when you click on the button "Use an existing role" you get redirected to the IAM Role web page. Then you search for the role you want to allow, and then edit the trust policy. Your new trust policy, will look like something like this:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {"Federated": "cognito-identity.amazonaws.com"},
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringEquals": {"cognito-identity.amazonaws.com:aud": "us-east-2:12345678-abcd-abcd-abcd-123456"},
            "ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "unauthenticated"}
        }
    }
}

Where you will have to adapt your AUD to align it to your OIDC provider created in IAM. You have all the details described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html

Hope this helps.

Best.

Hi Owais,

It seems like there might be a bug or a permissions issue. You could try clearing your browser cache, using a different browser, or checking the role's trust relationship settings.

I did that recently in a post I wrote: https://medium.com/aws-in-plain-english/no-long-term-aws-credentials-in-your-pipeline-secure-github-actions-0420127b89ea.

For AWS reference, you can look here: https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/?source=post_page-----0420127b89ea--------------------------------