Unable to read Secret set in environment.

[untangle-labs]

I am experiencing a persistent issue with a GitHub Actions workflow where it is unable to access secrets defined in a protected environment. The workflow consistently fails at the aws-actions/configure-aws-credentials step with the error Input required and not supplied: aws-region, because the expression ${{ secrets.AWS_REGION }} evaluates to null.

I am confident this is not a user-level configuration error, as we have exhaustively troubleshot all possible causes.

Summary of the Issue

Workflow: A CI/CD pipeline intended to deploy to AWS EC2 using OIDC for authentication.

Environment: A protected environment named production is configured.

Secrets: All required secrets, including AWS_REGION and AWS_ROLE_TO_ASSUME, have been correctly created within the production environment's secrets settings.

Error: The workflow fails because it cannot read any of the secrets from the environment. Debug logs clearly show that the secret values are null when the action runs.

Troubleshooting Steps Already Taken

We have systematically tried the following solutions without success:

Verified the Workflow File: The .yml file correctly specifies the environment: production for the job and references the secrets using the correct ${{ secrets.SECRET_NAME }} syntax.

Confirmed Permissions: The job has the necessary permissions block with id-token: write and contents: read.

Verified IAM Trust Policy: The AWS IAM Role's trust policy for the OIDC provider has been verified and correctly references our repository (repo:my-org/my-repo:*).

Checked Environment Protection Rules: We disabled all deployment branch restrictions for the production environment to ensure there were no authorization issues.

Created a Minimal Test Case: We created a brand new, minimal workflow file (debug.yml) that does nothing but attempt to configure AWS credentials. This test case failed with the exact same error, proving the issue is not with the complexity of our original workflow. (I will share the log below.)

The problem persists despite all settings appearing correct. The workflow seems unable to access the production environment's context and its associated secrets.

---

2025-09-06T04:54:06.5881713Z Current runner version: '2.328.0'
2025-09-06T04:54:06.5914804Z ##[group]Runner Image Provisioner
2025-09-06T04:54:06.5916087Z Hosted Compute Agent
2025-09-06T04:54:06.5917001Z Version: 20250829.383
2025-09-06T04:54:06.5917983Z Commit: 27cb235aab5b0e52e153a26cd86b4742e89dac5d
2025-09-06T04:54:06.5919182Z Build Date: 2025-08-29T13:48:48Z
2025-09-06T04:54:06.5920262Z ##[endgroup]
2025-09-06T04:54:06.5921228Z ##[group]Operating System
2025-09-06T04:54:06.5922390Z Ubuntu
2025-09-06T04:54:06.5923405Z 24.04.3
2025-09-06T04:54:06.5924169Z LTS
2025-09-06T04:54:06.5924869Z ##[endgroup]
2025-09-06T04:54:06.5925893Z ##[group]Runner Image
2025-09-06T04:54:06.5926978Z Image: ubuntu-24.04
2025-09-06T04:54:06.5927833Z Version: 20250831.1.0
2025-09-06T04:54:06.5930887Z Included Software: https://github.com/actions/runner-images/blob/ubuntu24/20250831.1/images/ubuntu/Ubuntu2404-Readme.md
2025-09-06T04:54:06.5935550Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20250831.1
2025-09-06T04:54:06.5937446Z ##[endgroup]
2025-09-06T04:54:06.5939157Z ##[group]GITHUB_TOKEN Permissions
2025-09-06T04:54:06.5942012Z Contents: read
2025-09-06T04:54:06.5943200Z Metadata: read
2025-09-06T04:54:06.5944048Z ##[endgroup]
2025-09-06T04:54:06.5946753Z Secret source: Actions
2025-09-06T04:54:06.5947829Z Prepare workflow directory
2025-09-06T04:54:06.6481440Z Prepare all required actions
2025-09-06T04:54:06.6539731Z Getting action download info
2025-09-06T04:54:07.0477903Z Download action repository 'aws-actions/configure-aws-credentials@v4' (SHA:7474bc4690e29a8392af63c5b98e7449536d5c3a)
2025-09-06T04:54:07.8482818Z Complete job name: debug-deploy
2025-09-06T04:54:07.9281131Z ##[group]Run aws-actions/configure-aws-credentials@v4
2025-09-06T04:54:07.9282055Z with:
2025-09-06T04:54:07.9282441Z audience: sts.amazonaws.com
2025-09-06T04:54:07.9282920Z output-env-credentials: true
2025-09-06T04:54:07.9284077Z ##[endgroup]
2025-09-06T04:54:08.0604951Z ##[error]Input required and not supplied: aws-region
2025-09-06T04:54:08.0788016Z Post job cleanup.
2025-09-06T04:54:08.2061120Z Cleaning up orphan processes

[Shreyash-SP80]

I ran into this issue before — the root cause is usually that environment secrets are only available after the job declares the environment. If the workflow tries to read them before that, they will show up as null.

Here are the main things to check:

---

1. Set the environment at the job level

Make sure your workflow looks like this (not at the top-level env:):

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: production   # this activates the environment
    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ${{ secrets.AWS_REGION }}
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}

2. Verify where the secrets are stored

Go to Settings > Environments > production > Secrets.

Confirm AWS_REGION and AWS_ROLE_TO_ASSUME exist there.

Secrets stored only at the repo level won’t work if you reference an environment.

If you created them with the CLI or Terraform, make sure you scoped them correctly:

gh secret set AWS_REGION --repo OWNER/REPO -e production

3. Permissions

You already have id-token: write and contents: read, which is correct for OIDC.
No extra permissions are needed just to read environment secrets — but they only load once the environment is active.

[untangle-labs]

Thanks for the answer.
It's a great checklist.
However, all three of the lists you suggested are already properly configured.
So, I can't understand the current situation.

[Shreyash-SP80]

Ok i can check for another one

[thanhdanh17]

if you’ve already confirmed the environment is set at the job level, the secrets really live under that environment (not just repo-level), and permissions are fine, then normally ${{ secrets.AWS_REGION }} should resolve.

A couple of sneaky things I’ve seen cause this:

• Using the secret in a top-level env: (they won’t load there, only inside the job).
• Slight mismatch in the environment name (production vs Production).
• Having both repo-level and environment-level secrets with the same name (can confuse which one is picked up).

[untangle-labs]

Self-answer

This stemmed from a very basic misunderstanding when using GitHub Actions for the first time.
In the Add Secret modal, the name was the key, and I needed to enter a value corresponding to that key.

I assumed the name in the Add Secret modal was the secret's name, so I entered the value in multiple lines, as shown below:

AWS_ROLE_TO_ASSUME: arn:aws:iam::
AWS_REGION: aa
S3_BUCKET_NAME: bb

Now that I've mapped the key-value pairs one by one, there's no problem.