feat: optional policy inputs when assuming role

2026-06-05 09:35:13 +00:00 · 2023-06-21 15:08:37 -07:00 · 2023-06-21 15:08:37 -07:00 · 10024331f6
commit 10024331f6
parent 2cee35f9a9
2 changed files with 13 additions and 1 deletions
--- a/dist/cleanup/src/assumeRole.d.ts
+++ b/dist/cleanup/src/assumeRole.d.ts
@ -9,5 +9,7 @@ export interface assumeRoleParams {
    roleExternalId?: string;
    webIdentityTokenFile?: string;
    webIdentityToken?: string;
+    inlineSessionPolicy?: string;
+    managedSessionPolicies?: any[];
 }
 export declare function assumeRole(params: assumeRoleParams): Promise<import("@aws-sdk/client-sts").AssumeRoleCommandOutput>;
--- a/dist/index.js
+++ b/dist/index.js
@ -153,7 +153,7 @@ async function assumeRoleWithCredentials(params, client) {
    }
 }
 async function assumeRole(params) {
-    const { credentialsClient, sourceAccountId, roleToAssume, roleExternalId, roleDuration, roleSessionName, roleSkipSessionTagging, webIdentityTokenFile, webIdentityToken, } = { ...params };
+    const { credentialsClient, sourceAccountId, roleToAssume, roleExternalId, roleDuration, roleSessionName, roleSkipSessionTagging, webIdentityTokenFile, webIdentityToken, inlineSessionPolicy, managedSessionPolicies } = { ...params };
    // Load GitHub environment variables
    const { GITHUB_REPOSITORY, GITHUB_WORKFLOW, GITHUB_ACTION, GITHUB_ACTOR, GITHUB_SHA, GITHUB_WORKSPACE } = process.env;
    if (!GITHUB_REPOSITORY || !GITHUB_WORKFLOW || !GITHUB_ACTION || !GITHUB_ACTOR || !GITHUB_SHA || !GITHUB_WORKSPACE) {
@ -191,6 +191,8 @@ async function assumeRole(params) {
        DurationSeconds: roleDuration,
        Tags: tags ? tags : undefined,
        ExternalId: roleExternalId ? roleExternalId : undefined,
+        Policy: inlineSessionPolicy ? inlineSessionPolicy : undefined,
+        PolicyArns: managedSessionPolicies ? managedSessionPolicies : undefined,
    };
    const keys = Object.keys(commonAssumeRoleParams);
    keys.forEach((k) => commonAssumeRoleParams[k] === undefined && delete commonAssumeRoleParams[k]);
@ -402,6 +404,12 @@ async function run() {
        const roleSkipSessionTagging = roleSkipSessionTaggingInput.toLowerCase() === 'true';
        const proxyServer = core.getInput('http-proxy', { required: false });
        const disableOIDC = core.getInput('disable-oidc', { required: false });
+        const inlineSessionPolicy = core.getInput('inline-session-policy', { required: false });
+        const managedSessionPoliciesInput = core.getMultilineInput('managed-session-policies', { required: false });
+        const managedSessionPolicies = [];
+        for (const managedSessionPolicy of managedSessionPoliciesInput) {
+            managedSessionPolicies.push(managedSessionPolicy);
+        }
        // Logic to decide whether to attempt to use OIDC or not
        const useGitHubOIDCProvider = () => {
            // The `ACTIONS_ID_TOKEN_REQUEST_TOKEN` environment variable is set when the `id-token` permission is granted.
@ -471,6 +479,8 @@ async function run() {
                    roleSkipSessionTagging,
                    webIdentityTokenFile,
                    webIdentityToken,
+                    inlineSessionPolicy,
+                    managedSessionPolicies,
                });
            }, true);
            core.info(`Authenticated as assumedRoleId ${roleCredentials.AssumedRoleUser.AssumedRoleId}`);