aws_role_to_assume broken for digger apply

[nis-thac]

//EDIT 2

The apply only seems to work when the plan was made in the hour before. Role assumptions last for one hour, which leads me to assume there is a missing role assumption on digger apply.

//EDIT

It turns out, that even when only supplying a command role, the apply still fails.

//Original Post

When using separate state and command roles for aws_role_to_assume in a project, running digger apply does not work. During the setup phase (tofu init runs 3 times, why?), the plan role is used. Only when running digger apply, the command role is used. However, digger does not assume the new role, leading to the following error:

Error: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 111111111-2222-3333-4444-555555555555, api error ExpiredToken: The security token included in the request is expired

Here is the log output:

🔧 Downloading Digger CLI...
Runner OS: Linux, Arch: X64, Digger Version: vLatest
Downloading from: https://github.com/diggerhq/digger/releases/download/vLatest/digger-cli-Linux-X64
Successfully downloaded and prepared Digger CLI
time=2026-02-13T09:06:55.382Z level=INFO msg="fetching commit ID" commitId=<commid-id>
From https://github.com/<owner/repo>
 * branch            <commid-id> -> FETCH_HEAD
time=2026-02-13T09:06:55.532Z level=INFO msg="checking out to commit ID" commitID=<commid-id>
Note: switching to '<commid-id>'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
time=2026-02-13T09:06:55.537Z level=INFO msg="Initializing plan storage" destination=aws owner=<owner> repo=<repo>
time=2026-02-13T09:06:55.537Z level=INFO msg="AWS plan storage initialized successfully" bucket=<plan-s3-bucket>
time=2026-02-13T09:06:55.537Z level=WARN msg="warning: nil passed to plan result, sending empty"
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at fe1fd24 DEVOPS-2662: Add Routes for workload-nis-full-deployment
time=2026-02-13T09:06:56.482Z level=INFO msg="Access policy allowed action" user=nis-thac action="digger apply" project=<project-name>
time=2026-02-13T09:06:56.482Z level=INFO msg="Running command for project" command="digger apply" "project name"=<project-name> "project workflow"=""
time=2026-02-13T09:06:56.669Z level=INFO msg="Access policy allowed action" user=nis-thac action="digger apply" project=<project-name>
time=2026-02-13T09:06:56.669Z level=INFO msg="Using authentication strategy: Default"
time=2026-02-13T09:06:56.669Z level=INFO msg="Project-level AWS role detected, assuming role for project" project=<project-name>
time=2026-02-13T09:06:59.153Z level=INFO msg="PR status Information" mergeable=false merged=false skipMergeCheck=true
time=2026-02-13T09:06:59.516Z level=INFO msg="Pre-apply plan retrieval: stored plan exists in artefact, retrieving"
time=2026-02-13T09:07:00.163Z level=INFO msg="Successfully retrieved plan" bucket=<plan-s3-bucket> key=<owner>-<repo>-<pr-number>-<project-name>.tfplan localPath=/home/runner/work/<repo>/<repo>/<owner>-<repo>-<pr-number>-<project-name>.tfplan
time=2026-02-13T09:07:00.163Z level=INFO msg="Running OpenTofu command" command.binary=tofu command.args="[init -backend-config=access_key=<access-key> -backend-config=secret_key=<secret-key> -backend-config=token=<session-token> -input=false -no-color]" command.workingDir=/home/runner/work/<repo>/<repo>

Initializing the backend...

Successfully configured the backend "s3"! OpenTofu will automatically
use this backend unless the backend configuration changes.
Initializing modules...

...
<Downloading logs trimmed>
...

Initializing provider plugins...
- Reusing previous version of hashicorp/random from the dependency lock file
- Reusing previous version of hashicorp/local from the dependency lock file
- Reusing previous version of hashicorp/null from the dependency lock file
- Reusing previous version of hashicorp/external from the dependency lock file
- Reusing previous version of hashicorp/tls from the dependency lock file
- Reusing previous version of hashicorp/time from the dependency lock file
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/time v0.13.1 to the shared cache directory...
- Installed hashicorp/time v0.13.1 (signed, key ID 0C0AF313E5FD9F80)
- Using hashicorp/time v0.13.1 from the shared cache directory
- Installing hashicorp/aws v6.28.0 to the shared cache directory...
- Installed hashicorp/aws v6.28.0 (signed, key ID 0C0AF313E5FD9F80)
- Using hashicorp/aws v6.28.0 from the shared cache directory
- Installing hashicorp/random v3.8.1 to the shared cache directory...
- Installed hashicorp/random v3.8.1 (signed, key ID 0C0AF313E5FD9F80)
- Using hashicorp/random v3.8.1 from the shared cache directory
- Installing hashicorp/local v2.6.1 to the shared cache directory...
- Installed hashicorp/local v2.6.1 (signed, key ID 0C0AF313E5FD9F80)
- Using hashicorp/local v2.6.1 from the shared cache directory
- Installing hashicorp/null v3.2.4 to the shared cache directory...
- Installed hashicorp/null v3.2.4 (signed, key ID 0C0AF313E5FD9F80)
- Using hashicorp/null v3.2.4 from the shared cache directory
- Installing hashicorp/external v2.3.5 to the shared cache directory...
- Installed hashicorp/external v2.3.5 (signed, key ID 0C0AF313E5FD9F80)
- Using hashicorp/external v2.3.5 from the shared cache directory
- Installing hashicorp/tls v4.1.0 to the shared cache directory...
- Installed hashicorp/tls v4.1.0 (signed, key ID 0C0AF313E5FD9F80)
- Using hashicorp/tls v4.1.0 from the shared cache directory

Providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://opentofu.org/docs/cli/plugins/signing/

OpenTofu has been successfully initialized!

You may now begin working with OpenTofu. Try running "tofu plan" to see
any changes that are required for your infrastructure. All OpenTofu commands
should now work.

If you ever set or change modules or backend configuration for OpenTofu,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
time=2026-02-13T09:07:36.764Z level=INFO msg="Running OpenTofu command" command.binary=tofu command.args="[show -no-color -json /home/runner/work/<repo>/<repo>/<owner>-<repo>-<pr-number>-<project-name>.tfplan]" command.workingDir=/home/runner/work/<repo>/<repo>
time=2026-02-13T09:07:41.378Z level=INFO msg="No plan policies found, succeeding"
time=2026-02-13T09:07:41.566Z level=INFO msg="Access policy allowed action" user=nis-thac action="digger apply" project=<project-name>
time=2026-02-13T09:07:41.963Z level=INFO msg="Pre-apply plan retrieval: stored plan exists in artefact, retrieving"
time=2026-02-13T09:07:42.583Z level=INFO msg="Successfully retrieved plan" bucket=<plan-s3-bucket> key=<owner>-<repo>-<pr-number>-<project-name>.tfplan localPath=/home/runner/work/<repo>/<repo>/<owner>-<repo>-<pr-number>-<project-name>.tfplan
time=2026-02-13T09:07:42.583Z level=INFO msg="Running OpenTofu command" command.binary=tofu command.args="[init -backend-config=access_key=<access-key> -backend-config=secret_key=<secret-key> -backend-config=token=<session-token> -input=false -no-color]" command.workingDir=/home/runner/work/<repo>/<repo>

Initializing the backend...
Initializing modules...

Initializing provider plugins...
- Reusing previous version of hashicorp/tls from the dependency lock file
- Reusing previous version of hashicorp/null from the dependency lock file
- Reusing previous version of hashicorp/external from the dependency lock file
- Reusing previous version of hashicorp/local from the dependency lock file
- Reusing previous version of hashicorp/time from the dependency lock file
- Reusing previous version of hashicorp/aws from the dependency lock file
- Reusing previous version of hashicorp/random from the dependency lock file
- Using previously-installed hashicorp/null v3.2.4
- Using previously-installed hashicorp/external v2.3.5
- Using previously-installed hashicorp/local v2.6.1
- Using previously-installed hashicorp/time v0.13.1
- Using previously-installed hashicorp/aws v6.28.0
- Using previously-installed hashicorp/random v3.8.1
- Using previously-installed hashicorp/tls v4.1.0

OpenTofu has been successfully initialized!

You may now begin working with OpenTofu. Try running "tofu plan" to see
any changes that are required for your infrastructure. All OpenTofu commands
should now work.

If you ever set or change modules or backend configuration for OpenTofu,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
time=2026-02-13T09:07:46.738Z level=INFO msg="Running OpenTofu command" command.binary=tofu command.args="[show -no-color -json /home/runner/work/<repo>/<repo>/<owner>-<repo>-<pr-number>-<project-name>.tfplan]" command.workingDir=/home/runner/work/<repo>/<repo>
time=2026-02-13T09:07:52.789Z level=INFO msg="Attempting to acquire lock" lockId=<owner/repo>#<project-name>
time=2026-02-13T09:07:52.789Z level=INFO msg="Project locked successfully" projectId=<owner/repo>#<project-name> prNumber=<pr-number>
time=2026-02-13T09:07:52.789Z level=INFO msg="Lock result" locked=true
time=2026-02-13T09:07:53.642Z level=INFO msg="Successfully retrieved plan" bucket=<plan-s3-bucket> key=<owner>-<repo>-<pr-number>-<project-name>.tfplan localPath=/home/runner/work/<repo>/<repo>/<owner>-<repo>-<pr-number>-<project-name>.tfplan
time=2026-02-13T09:07:53.642Z level=INFO msg="Running OpenTofu command" command.binary=tofu command.args="[init -backend-config=access_key=<access-key> -backend-config=secret_key=<secret-key> -backend-config=token=<session-token> -input=false -no-color]" command.workingDir=/home/runner/work/<repo>/<repo>

Initializing the backend...
Initializing modules...

Initializing provider plugins...
- Reusing previous version of hashicorp/tls from the dependency lock file
- Reusing previous version of hashicorp/time from the dependency lock file
- Reusing previous version of hashicorp/aws from the dependency lock file
- Reusing previous version of hashicorp/random from the dependency lock file
- Reusing previous version of hashicorp/null from the dependency lock file
- Reusing previous version of hashicorp/external from the dependency lock file
- Reusing previous version of hashicorp/local from the dependency lock file
- Using previously-installed hashicorp/null v3.2.4
- Using previously-installed hashicorp/external v2.3.5
- Using previously-installed hashicorp/local v2.6.1
- Using previously-installed hashicorp/tls v4.1.0
- Using previously-installed hashicorp/time v0.13.1
- Using previously-installed hashicorp/aws v6.28.0
- Using previously-installed hashicorp/random v3.8.1

OpenTofu has been successfully initialized!

You may now begin working with OpenTofu. Try running "tofu plan" to see
any changes that are required for your infrastructure. All OpenTofu commands
should now work.

If you ever set or change modules or backend configuration for OpenTofu,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
time=2026-02-13T09:07:57.860Z level=INFO msg="Running OpenTofu command" command.binary=tofu command.args="[apply -lock-timeout=3m -input=false -no-color -auto-approve /home/runner/work/<repo>/<repo>/<owner>-<repo>-<pr-number>-<project-name>.tfplan]" command.workingDir=/home/runner/work/<repo>/<repo>

Error: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 111111111-2222-3333-4444-555555555555, api error ExpiredToken: The security token included in the request is expired

time=2026-02-13T09:07:58.619Z level=ERROR msg="Command execution failed" command=tofu args="[apply -lock-timeout=3m -input=false -no-color -auto-approve /home/runner/work/<repo>/<repo>/<owner>-<repo>-<pr-number>-<project-name>.tfplan]" exitCode=1 error="exit status 1"
time=2026-02-13T09:07:58.619Z level=ERROR msg="Failed to Run digger apply command." error="error executing apply: exit status 1"
time=2026-02-13T09:07:58.619Z level=ERROR msg="error while running command for project" command="digger apply" projectname=<project-name> error="Failed to run digger apply command. error executing apply: exit status 1"
time=2026-02-13T09:07:58.619Z level=ERROR msg="Project command failed, skipping job" "project name"=<project-name> command="digger apply"
time=2026-02-13T09:08:00.<pr-number>0Z level=WARN msg="warning: nil passed to plan result, sending empty"
time=2026-02-13T09:08:00.896Z level=ERROR msg="failed to run commands <nil>"
time=2026-02-13T09:08:00.896Z level=WARN msg="warning: nil passed to plan result, sending empty"
time=2026-02-13T09:08:01.017Z level=ERROR msg="failed to run commands <nil>"

[nis-thac]

The digger.yaml used is as follows:

telemetry: false
auto_merge: false
pr_locks: true
delete_prior_comments: true
projects:
  - name: <project-name>
    branch: main
    dir: .
    opentofu: true
    apply_requirements: [undiverged, approved]
    aws_role_to_assume:
      aws_role_region: eu-central-1
      command: arn:aws:iam::<account-id>:role/<role-name>

workflows:
  default:
    plan:
      steps:
        - init
        - plan:
            extra_args:
              - '-exclude=module.[xyz.resource].this'
    workflow_configuration:
      on_pull_request_pushed: []
      skip_merge_check: true

[nis-thac]

The workflow-file:

name: Digger Workflow

on:
  workflow_dispatch:
    inputs:
      spec:
        required: true
        description: "spec"
      run_name:
        required: false
        description: "Run name"
        default: "digger-run"

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    runs-on: ubuntu-latest
    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: read         # required to check if PR number is an issue or not
      statuses: write      # required to validate combined PR status
    steps:
      - name: Configure Tofu/Terraform credentials for GitLab
        env:
          GITLAB_REGISTRY_TOKEN: ${{ secrets.GITLAB_REGISTRY_TOKEN }}
        run: |
          cat <<EOF > ~/.terraformrc
          credentials "our-private-registry.example.com" {
            token = "$GITLAB_REGISTRY_TOKEN"
          }
          EOF

      - uses: actions/checkout@v6
      - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
        run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
      - uses: diggerhq/digger@vLatest
        with:
          digger-spec: ${{ inputs.spec }}
          setup-aws: true
          aws-region: eu-central-1
          setup-opentofu: true
          configure-checkout: false
          opentofu-version: 1.11.3
          upload-plan-destination: aws
          upload-plan-destination-s3-bucket: <plan-s3-bucket>
          aws-role-to-assume: "arn:aws:iam::<account-id-for-plan-bucket>:role/<role-name-for-plan-bucket>"
          reporting-strategy: multiple_comments
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}