Skip to content

Commit

Permalink
fix: action fails when intending to use existing credentials (#796)
Browse files Browse the repository at this point in the history
* fix: action fails when intending to use existing credentials

* fix: action fails when intending to use existing credentials

* fix: action fails when intending to use existing credentials

* fix: action fails when intending to use existing credentials

* fix: action fails when intending to use existing credentials

* fix: action fails when intending to use existing credentials

---------

Co-authored-by: Tom Keller <1083460+kellertk@users.noreply.github.com>
  • Loading branch information
peterwoodworth and kellertk authored Aug 24, 2023
1 parent a962633 commit 76997ec
Show file tree
Hide file tree
Showing 5 changed files with 66 additions and 14 deletions.
22 changes: 22 additions & 0 deletions .github/workflows/tests-integ.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,28 @@ jobs:
role-to-assume: ${{ secrets.SECRETS_AWS_ROLE_TO_ASSUME }}
role-session-name: IntegAccessKeysAssumeRole
role-external-id: ${{ secrets.SECRETS_AWS_ROLE_EXTERNAL_ID }}
integ-access-keys-env:
strategy:
fail-fast: false
matrix:
os: [[self-hosted, linux-fargate], windows-latest, ubuntu-latest, macos-latest]
node: [14, 16, 18]
name: Run access key from env integ tests
runs-on: ${{ matrix.os }}
timeout-minutes: 30
steps:
- name: "Checkout repository"
uses: actions/checkout@v3
- name: Integ test for access keys
uses: ./
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
with:
aws-region: us-west-2
role-to-assume: ${{ secrets.SECRETS_AWS_ROLE_TO_ASSUME }}
role-session-name: IntegAccessKeysAssumeRole
role-external-id: ${{ secrets.SECRETS_AWS_ROLE_EXTERNAL_ID }}
integ-iam-user:
strategy:
fail-fast: false
Expand Down
16 changes: 9 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -161,13 +161,15 @@ We recommend using [GitHub's OIDC provider](https://docs.github.com/en/actions/d

The following table describes which method is used based on which values are supplied to the Action:

| **Identity Used** | `aws-access-key-id` | `role-to-assume` | `web-identity-token-file` | `role-chaining` |
| --------------------------------------------------------------- | ------------------- | ---------------- | ------------------------- | - |
| [✅ Recommended] Assume Role directly using GitHub OIDC provider | | ✔ | | |
| IAM User | ✔ | | | |
| Assume Role using IAM User credentials | ✔ | ✔ | | |
| Assume Role using WebIdentity Token File credentials | | ✔ | ✔ | |
| Assume Role using existing credentials | | ✔ | | ✔ |
| **Identity Used** | `aws-access-key-id` | `role-to-assume` | `web-identity-token-file` | `role-chaining` | `id-token` permission
| --------------------------------------------------------------- | ------------------- | ---------------- | ------------------------- | - | - |
| [✅ Recommended] Assume Role directly using GitHub OIDC provider | | ✔ | | | ✔ |
| IAM User | ✔ | | | | |
| Assume Role using IAM User credentials | ✔ | ✔ | | | |
| Assume Role using WebIdentity Token File credentials | | ✔ | ✔ | | |
| Assume Role using existing credentials | | ✔ | | ✔ | |

*Note: `role-chaining` is not necessary to use existing credentials in every use case. If you're getting a "Credentials loaded by the SDK do not match" error, try enabling this prop.

### Credential Lifetime
The default session duration is **1 hour**.
Expand Down
9 changes: 6 additions & 3 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 8 additions & 3 deletions src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,8 @@ export async function run() {
!roleChaining
) {
core.info(
'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?'
'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission? ' +
'If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.'
);
}
return (
Expand Down Expand Up @@ -127,11 +128,15 @@ export async function run() {
// the source credentials to already be masked as secrets
// in any error messages.
exportCredentials({ AccessKeyId, SecretAccessKey, SessionToken });
} else if (!webIdentityTokenFile && !roleChaining) {
} else if (
!webIdentityTokenFile &&
!roleChaining &&
!(process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])
) {
throw new Error('Could not determine how to assume credentials. Please check your inputs and try again.');
}

if (AccessKeyId || roleChaining) {
if (AccessKeyId || roleChaining || (process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) {
// Validate that the SDK can actually pick up credentials.
// This validates cases where this action is using existing environment credentials,
// and cases where the user intended to provide input credentials but the secrets inputs resolved to empty strings.
Expand Down
22 changes: 21 additions & 1 deletion test/index.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -519,13 +519,33 @@ describe('Configure AWS Credentials', () => {
await run();

expect(core.info).toHaveBeenCalledWith(
'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?'
'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?' +
' If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.'
);
expect(core.setFailed).toHaveBeenCalledWith(
'Could not determine how to assume credentials. Please check your inputs and try again.'
);
});

test('Assume role with existing credentials if nothing else set', async () => {
process.env['AWS_ACCESS_KEY_ID'] = FAKE_ACCESS_KEY_ID;
process.env['AWS_SECRET_ACCESS_KEY'] = FAKE_SECRET_ACCESS_KEY;
jest.spyOn(core, 'getInput').mockImplementation(
mockGetInput({
'role-to-assume': ROLE_ARN,
'aws-region': FAKE_REGION,
})
);

await run();

expect(core.info).toHaveBeenCalledWith(
'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?' +
' If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.'
);
expect(mockedSTS.commandCalls(AssumeRoleCommand).length).toEqual(1);
});

test('role assumption fails after maximum trials using OIDC provider', async () => {
process.env['GITHUB_ACTIONS'] = 'true';
process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = 'test-token';
Expand Down

0 comments on commit 76997ec

Please sign in to comment.