aws-actions/configure-aws-credentials
1
0
Fork 0
mirror of synced 2026-06-05 14:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

feat: upgraded to new GH OIDC API (#284)

Browse source
This commit is contained in:
Richard H Boyd 2021-10-18 14:33:08 -04:00 committed by GitHub
commit 036a4a1ddf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 4220 deletions
Download patch file Download diff file Expand all files Collapse all files

21
README.md
View file

@ -37,7 +37,10 @@ jobs:
deploy:
name: Upload to Amazon S3
runs-on: ubuntu-latest
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v2
@ -136,24 +139,28 @@ Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: ExampleGithubRole
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRoleWithWebIdentity
Principal:
Federated: !Ref GithubOidc
Federated: !If
- CreateOIDCProvider
- !Ref GithubOidc
- !Ref OIDCProviderArn
Condition:
StringLike:
vstoken.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
GithubOidc:
Type: AWS::IAM::OIDCProvider
Condition: CreateOIDCProvider
Properties:
Url: https://vstoken.actions.githubusercontent.com
ClientIdList: [sigstore]
ThumbprintList: [a031c46782e6e6c662c2c87c76da9aa62ccabd8e]
Url: https://token.actions.githubusercontent.com
ClientIdList:
- sts.amazonaws.com
ThumbprintList:
- a031c46782e6e6c662c2c87c76da9aa62ccabd8e
Outputs:
Role:

4189
dist/index.js vendored
View file

File diff suppressed because one or more lines are too long

30
index.js
View file

@ -3,7 +3,6 @@ const aws = require('aws-sdk');
const assert = require('assert');
const fs = require('fs');
const path = require('path');
const axios = require('axios');
// The max time that a GitHub action is allowed to run is 6 hours.
// That seems like a reasonable default to use if no role duration is defined.
@ -185,21 +184,6 @@ async function exportAccountId(maskAccountId, region) {
return accountId;
}
async function getWebIdentityToken() {
const isDefined = i => !!i;
const {ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN} = process.env;
assert(
[ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN].every(isDefined),
'Missing required environment value. Are you running in GitHub Actions?'
);
const { data } = await axios.get(`${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=sigstore`, {
headers: {"Authorization": `bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}`}
}
);
return data.value;
}
function loadCredentials() {
// Force the SDK to re-resolve credentials with the default provider chain.
//
@ -303,7 +287,7 @@ async function run() {
let sourceAccountId;
let webIdentityToken;
if(useGitHubOIDCProvider()) {
webIdentityToken = await getWebIdentityToken();
webIdentityToken = await core.getIDToken('sts.amazonaws.com');
roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || DEFAULT_ROLE_DURATION_FOR_OIDC_ROLES;
// We don't validate the credentials here because we don't have them yet when using OIDC.
} else {
@ -331,13 +315,11 @@ async function run() {
webIdentityToken
});
exportCredentials(roleCredentials);
// I don't know a good workaround for this. I'm not sure why we're validating the credentials
// so frequently inside the action. The approach I've taken here is that if the GH OIDC token
// isn't set, then we're in a self-hosted runner and we need to validate the credentials for
// some mysterious reason that wasn't explained by whoever wrote this aciton.
//
// It's gross but it works so ... ¯\_(ツ)_/¯
if (!process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN) {
// We need to validate the credentials in 2 of our use-cases
// First: self-hosted runners. If the GITHUB_ACTIONS environment variable
// is set to `true` then we are NOT in a self-hosted runner.
// Second: Customer provided credentials manually (IAM User keys stored in GH Secrets)
if (!process.env.GITHUB_ACTIONS || accessKeyId) {
await validateCredentials(roleCredentials.accessKeyId);
}
await exportAccountId(maskAccountId, region);

15
index.test.js
View file

@ -2,10 +2,8 @@ const core = require('@actions/core');
const assert = require('assert');
const aws = require('aws-sdk');
const run = require('./index.js');
const axios = require('axios');
jest.mock('@actions/core');
jest.mock("axios");
const FAKE_ACCESS_KEY_ID = 'MY-AWS-ACCESS-KEY-ID';
const FAKE_SECRET_ACCESS_KEY = 'MY-AWS-SECRET-ACCESS-KEY';
@ -91,6 +89,12 @@ describe('Configure AWS Credentials', () => {
.fn()
.mockImplementation(mockGetInput(DEFAULT_INPUTS));
core.getIDToken = jest
.fn()
.mockImplementation(() => {
return "testtoken"
});
mockStsCallerIdentity.mockReset();
mockStsCallerIdentity
.mockReturnValueOnce({
@ -569,9 +573,9 @@ describe('Configure AWS Credentials', () => {
});
test('only role arn and region provided to use GH OIDC Token', async () => {
process.env.GITHUB_ACTIONS = 'true';
process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'test-token';
process.env.ACTIONS_ID_TOKEN_REQUEST_URL = 'https://www.example.com/token/endpoint';
axios.get.mockImplementation(() => Promise.resolve({ data: {value: "testtoken"} }));
core.getInput = jest
.fn()
.mockImplementation(mockGetInput({'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION}));
@ -590,9 +594,8 @@ describe('Configure AWS Credentials', () => {
test('GH OIDC With custom role duration', async () => {
const CUSTOM_ROLE_DURATION = 1234;
process.env.GITHUB_ACTIONS = 'true';
process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'test-token';
process.env.ACTIONS_ID_TOKEN_REQUEST_URL = 'https://www.example.com/token/endpoint';
axios.get.mockImplementation(() => Promise.resolve({ data: {value: "testtoken"} }));
core.getInput = jest
.fn()
.mockImplementation(mockGetInput({'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION, 'role-duration-seconds': CUSTOM_ROLE_DURATION}));