Not authorized to perform sts:AssumeRoleWithWebIdentity

Hi,

I applied this to our gitlab runner setup in AWS. We use docker+machine, spot instances, with a EC2 policy (rather than AWS keys).

A representative example of my policy and runner config can be found here: https://github.com/dazzag24/gitlab-runner-aws-autoscaler

I had to make a change to use a different region (see !1 (merged)) to get the terraform to apply but I cannot overcome the error below:

$ STS=($(aws sts assume-role-with-web-identity --role-arn ${ROLE_ARN} --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}" --web-identity-token $CI_JOB_JWT_V2 --duration-seconds 3600 --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text))
An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity

How can I debug this further?

Is it possbile to view the CI_JOB_JWT_V2 token unmasked in the CI job logs?

Thanks