AWS OIDC keyless

[CoatesCarter]

I use aws-actions/configure-aws-credentials in their preferred method... using "GitHub's OIDC provider in conjunction with a configured AWS IAM Identity Provider endpoint." This method only requires environment variables for works swimmingly when GitHub Actions runs the step on their hosted runners. However, running locally with act produces the following error in the act console output:
"| It looks like you might be trying to authenticate with OIDC. Did you mean to set the id-token permission? If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.
[...] ❗ ::error::Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers
[...] ❌ Failure - Main Configure AWS Credentials "

The relevant parts of the workflow...
env:
AWS_REGION : us-east-1
...
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
...

• name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@v4
  with:
  role-to-assume: arn:aws:iam::_____:role/GitHub-Actions
  aws-region: ${{ env.AWS_REGION }}

The IAM Identity Provider, OIDC, is:
token.actions.githubusercontent.com with audience sts.amazonaws.com

I may be confused about this, but it seems that even when the workflow is running locally through act, it is still running the same GitHub Actions code as it does when running on a GitHub hosted runner. So, the credential request to AWS should still be coming via/from token.actions.githubusercontent.com, right? The error message seems to suggest that it wants IAM user access key inputs, like AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY, which aren't needed for this method and aren't needed when running from GitHub Actions. Hopefully I've just overlooked something small. Help appreciated.

[ChristopherHX]

So, the credential request to AWS should still be coming via/from token.actions.githubusercontent.com, right?

That's impossible, because only GitHub Actions from github.com can sign the token (It's all about security, not everyone should access your aws). A self-hosted runner can also make use of the github.com token, when called by GitHub Actions services to run a job

Additionally nektos/act doesn't implement it's own oidc tokens. (needs to change the jwk endpoint)

[CoatesCarter]

I haven't studied the nektos/act code to see how exactly it does what it does, and the readme doesn't explain either... hence the question. For all one may know, nektos/act interacts with GitHub.com to sign the token, but based on your reply, that's clearly not the case. Thank you for clearing that up.

And the second part of your reply suggests that nektos/act is not yet able to authenticate in this keyless, role-to-assume method. Is that correct?