aws-actions/configure-aws-credentials
1
0
Fork 0
mirror of https://github.com/aws-actions/configure-aws-credentials.git synced 2026-06-09 03:17:05 +00:00
Code Issues Projects Releases Packages Wiki Activity

redo changes from #1780

Browse source
This commit is contained in:
Michael Lehmann 2026-05-28 15:08:14 -07:00
commit 32a5f16041
3 changed files with 16 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -168,6 +168,7 @@ detail.
| role-session-name | Defaults to "GitHubActions", but may be changed if required. | No |
| role-skip-session-tagging | Skips session tagging if set. | No |
| transitive-tag-keys | Define a list of transitive tag keys to pass when assuming a role. | No |
| custom-tags | Additional tags to apply to the assumed role session. Must be a JSON object provided as a string. Custom tags are not usable with OIDC or web identity token authentication. | No |
| inline-session-policy | You may further restrict the assumed role policy by defining an inline policy here. | No |
| managed-session-policies | You may further restrict the assumed role policy by specifying a managed policy here. | No |
| output-credentials | When set, outputs fetched credentials as action step output. (Outputs aws-access-key-id, aws-secret-access-key, aws-session-token, aws-account-id, authenticated-arn, and aws-expiration). Defaults to false. | No |
@ -180,6 +181,8 @@ detail.
| allowed-account-ids | A comma-delimited list of expected AWS account IDs. The action will fail if we receive credentials for the wrong account. | No |
| force-skip-oidc | When set, the action will skip using GitHub OIDC provider even if the id-token permission is set. | No |
| action-timeout-s | Global timeout for the action in seconds. If set to a value greater than 0, the action will fail if it takes longer than this time to complete. | No |
| no-proxy | Hosts to skip for the proxy configuration. | No |
| sts-endpoint | Custom STS endpoint URL. Use this to point to an STS-compatible API (e.g. MinIO, LocalStack) instead of the default AWS STS endpoint for the region. | No |
</details>

1
src/assumeRole.ts
View file

@ -42,6 +42,7 @@ async function assumeRoleWithWebIdentityTokenFile(
core.info('Assuming role with web identity token file');
try {
delete params.Tags;
delete params.TransitiveTagKeys;
const creds = await client.send(
new AssumeRoleWithWebIdentityCommand({
...params,

12
test/index.test.ts
View file

@ -202,6 +202,18 @@ describe('Configure AWS Credentials', {}, () => {
expect(core.setOutput).toHaveBeenCalledTimes(2);
expect(core.setFailed).not.toHaveBeenCalled();
});
it('does not send Tags or TransitiveTagKeys to AssumeRoleWithWebIdentity', async () => {
// AssumeRoleWithWebIdentity reads session tags from JWT claims, not the request.
// Both fields must be stripped before the STS call.
vi.mocked(core.getMultilineInput).mockImplementation((name: string) => {
if (name === 'transitive-tag-keys') return ['Repository'];
return [];
});
await run();
const callInput = mockedSTSClient.commandCalls(AssumeRoleWithWebIdentityCommand)[0].args[0].input;
expect(callInput.Tags).toBeUndefined();
expect(callInput.TransitiveTagKeys).toBeUndefined();
});
});
describe('Assume existing role', {}, () => {