aws-actions/configure-aws-credentials
1
0
Fork 0
mirror of https://github.com/aws-actions/configure-aws-credentials.git synced 2026-06-08 04:47:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'main' into contri

Browse source
This commit is contained in:
Tom Keller 2023-08-24 14:38:35 -07:00 committed by GitHub
commit 91d9dfcd6f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 217 additions and 116 deletions
Download patch file Download diff file Expand all files Collapse all files

22
.github/workflows/tests-integ.yml vendored
View file

@ -48,6 +48,28 @@ jobs:
role-to-assume: ${{ secrets.SECRETS_AWS_ROLE_TO_ASSUME }}
role-session-name: IntegAccessKeysAssumeRole
role-external-id: ${{ secrets.SECRETS_AWS_ROLE_EXTERNAL_ID }}
integ-access-keys-env:
strategy:
fail-fast: false
matrix:
os: [[self-hosted, linux-fargate], windows-latest, ubuntu-latest, macos-latest]
node: [14, 16, 18]
name: Run access key from env integ tests
runs-on: ${{ matrix.os }}
timeout-minutes: 30
steps:
- name: "Checkout repository"
uses: actions/checkout@v3
- name: Integ test for access keys
uses: ./
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
with:
aws-region: us-west-2
role-to-assume: ${{ secrets.SECRETS_AWS_ROLE_TO_ASSUME }}
role-session-name: IntegAccessKeysAssumeRole
role-external-id: ${{ secrets.SECRETS_AWS_ROLE_EXTERNAL_ID }}
integ-iam-user:
strategy:
fail-fast: false

25
README.md
View file

@ -161,13 +161,15 @@ We recommend using [GitHub's OIDC provider](https://docs.github.com/en/actions/d
The following table describes which method is used based on which values are supplied to the Action:
| **Identity Used** | `aws-access-key-id` | `role-to-assume` | `web-identity-token-file` | `role-chaining` |
| --------------------------------------------------------------- | ------------------- | ---------------- | ------------------------- | - |
| [✅ Recommended] Assume Role directly using GitHub OIDC provider | | ✔ | | |
| IAM User | ✔ | | | |
| Assume Role using IAM User credentials | ✔ | ✔ | | |
| Assume Role using WebIdentity Token File credentials | | ✔ | ✔ | |
| Assume Role using existing credentials | | ✔ | | ✔ |
| **Identity Used** | `aws-access-key-id` | `role-to-assume` | `web-identity-token-file` | `role-chaining` | `id-token` permission
| --------------------------------------------------------------- | ------------------- | ---------------- | ------------------------- | - | - |
| [✅ Recommended] Assume Role directly using GitHub OIDC provider | | ✔ | | | ✔ |
| IAM User | ✔ | | | | |
| Assume Role using IAM User credentials | ✔ | ✔ | | | |
| Assume Role using WebIdentity Token File credentials | | ✔ | ✔ | | |
| Assume Role using existing credentials | | ✔ | | ✔ | |
*Note: `role-chaining` is not necessary to use existing credentials in every use case. If you're getting a "Credentials loaded by the SDK do not match" error, try enabling this prop.
### Credential Lifetime
The default session duration is **1 hour**.
@ -268,6 +270,15 @@ Your account ID is not masked by default in workflow logs since it's not conside
#### Unset current credentials
Sometimes, existing credentials in your runner can get in the way of the intended outcome, and the recommended solution is to include another step in your workflow which unsets the environment variables set by this action. Now if you set the `unset-current-credentials` input to `true`, the workaround is made eaiser
#### Special characters in AWS_SECRET_ACCESS_KEY
Some edge cases are unable to properly parse an `AWS_SECRET_ACCESS_KEY` if it
contains special characters. For more information, please see the
[AWS CLI documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-signature-does-not-match).
If you set the `special-characters-workaround` option, this action will
continually retry fetching credentials until we get one that does not have
special characters. This option overrides the `disable-retry` and
`retry-max-attempts` options.
## OIDC
We recommend using [GitHub's OIDC provider](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) to get short-lived AWS credentials needed for your actions. When using OIDC, this action will create a JWT unique to the workflow run, and it will use this JWT to assume the role. For this action to create the JWT, it is required for your workflow to have the `id-token: write` permission:

3
action.yml
View file

@ -70,6 +70,9 @@ inputs:
retry-max-attempts:
description: The maximum number of attempts it will attempt to retry the assume role call. By default it will retry 12 times
required: false
special-characters-workaround:
description: Some environments do not support special characters in AWS_SECRET_ACCESS_KEY. This option will retry fetching credentials until the secret access key does not contain special characters. This option overrides disable-retry and retry-max-attempts. This option is disabled by default
required: false
outputs:
aws-account-id:
description: The AWS account ID for the provided credentials

9
dist/cleanup/index.js generated vendored
View file

@ -20748,18 +20748,21 @@ function reset() {
exports.reset = reset;
function verifyKeys(creds) {
if (!creds) {
return;
return false;
}
if (creds.AccessKeyId) {
if (SPECIAL_CHARS_REGEX.test(creds.AccessKeyId)) {
throw new Error('AccessKeyId contains special characters.');
core.debug('AccessKeyId contains special characters.');
return false;
}
}
if (creds.SecretAccessKey) {
if (SPECIAL_CHARS_REGEX.test(creds.SecretAccessKey)) {
throw new Error('SecretAccessKey contains special characters.');
core.debug('SecretAccessKey contains special characters.');
return false;
}
}
return true;
}
exports.verifyKeys = verifyKeys;
// Retries the promise with exponential backoff if the error isRetryable up to maxRetries time.

2
dist/cleanup/src/helpers.d.ts generated vendored
View file

@ -9,7 +9,7 @@ export declare function defaultSleep(ms: number): Promise<unknown>;
declare let sleep: typeof defaultSleep;
export declare function withsleep(s: typeof sleep): void;
export declare function reset(): void;
export declare function verifyKeys(creds: Partial<Credentials> | undefined): void;
export declare function verifyKeys(creds: Partial<Credentials> | undefined): boolean;
export declare function retryAndBackoff<T>(fn: () => Promise<T>, isRetryable: boolean, maxRetries?: number, retries?: number, base?: number): Promise<T>;
export declare function errorMessage(error: unknown): string;
export declare function isDefined<T>(i: T | undefined | null): i is T;

72
dist/index.js generated vendored
View file

@ -113,7 +113,6 @@ async function assumeRoleWithOIDC(params, client, webIdentityToken) {
...params,
WebIdentityToken: webIdentityToken,
}));
(0, helpers_1.verifyKeys)(creds.Credentials);
return creds;
}
catch (error) {
@ -136,7 +135,6 @@ async function assumeRoleWithWebIdentityTokenFile(params, client, webIdentityTok
...params,
WebIdentityToken: webIdentityToken,
}));
(0, helpers_1.verifyKeys)(creds.Credentials);
return creds;
}
catch (error) {
@ -147,7 +145,6 @@ async function assumeRoleWithCredentials(params, client) {
core.info('Assuming role with user credentials');
try {
const creds = await client.send(new client_sts_1.AssumeRoleCommand({ ...params }));
(0, helpers_1.verifyKeys)(creds.Credentials);
return creds;
}
catch (error) {
@ -337,18 +334,21 @@ function reset() {
exports.reset = reset;
function verifyKeys(creds) {
if (!creds) {
return;
return false;
}
if (creds.AccessKeyId) {
if (SPECIAL_CHARS_REGEX.test(creds.AccessKeyId)) {
throw new Error('AccessKeyId contains special characters.');
core.debug('AccessKeyId contains special characters.');
return false;
}
}
if (creds.SecretAccessKey) {
if (SPECIAL_CHARS_REGEX.test(creds.SecretAccessKey)) {
throw new Error('SecretAccessKey contains special characters.');
core.debug('SecretAccessKey contains special characters.');
return false;
}
}
return true;
}
exports.verifyKeys = verifyKeys;
// Retries the promise with exponential backoff if the error isRetryable up to maxRetries time.
@ -450,10 +450,19 @@ async function run() {
const unsetCurrentCredentialsInput = core.getInput('unset-current-credentials', { required: false }) || 'false';
const unsetCurrentCredentials = unsetCurrentCredentialsInput.toLowerCase() === 'true';
const disableRetryInput = core.getInput('disable-retry', { required: false }) || 'false';
const disableRetry = disableRetryInput.toLowerCase() === 'true';
let disableRetry = disableRetryInput.toLowerCase() === 'true';
const specialCharacterWorkaroundInput = core.getInput('special-characters-workaround', { required: false }) || 'false';
const specialCharacterWorkaround = specialCharacterWorkaroundInput.toLowerCase() === 'true';
let maxRetries = parseInt(core.getInput('retry-max-attempts', { required: false })) || 12;
if (maxRetries < 1) {
maxRetries = 1;
switch (true) {
case specialCharacterWorkaround:
// 😳
disableRetry = false;
maxRetries = 12;
break;
case maxRetries < 1:
maxRetries = 1;
break;
}
for (const managedSessionPolicy of managedSessionPoliciesInput) {
managedSessionPolicies.push({ arn: managedSessionPolicy });
@ -469,7 +478,8 @@ async function run() {
!AccessKeyId &&
!process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] &&
!roleChaining) {
core.info('It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?');
core.info('It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission? ' +
'If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.');
}
return (!!roleToAssume &&
!!process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] &&
@ -510,10 +520,12 @@ async function run() {
// in any error messages.
(0, helpers_1.exportCredentials)({ AccessKeyId, SecretAccessKey, SessionToken });
}
else if (!webIdentityTokenFile && !roleChaining) {
else if (!webIdentityTokenFile &&
!roleChaining &&
!(process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) {
throw new Error('Could not determine how to assume credentials. Please check your inputs and try again.');
}
if (AccessKeyId || roleChaining) {
if (AccessKeyId || roleChaining || (process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) {
// Validate that the SDK can actually pick up credentials.
// This validates cases where this action is using existing environment credentials,
// and cases where the user intended to provide input credentials but the secrets inputs resolved to empty strings.
@ -522,21 +534,26 @@ async function run() {
}
// Get role credentials if configured to do so
if (roleToAssume) {
const roleCredentials = await (0, helpers_1.retryAndBackoff)(async () => {
return (0, assumeRole_1.assumeRole)({
credentialsClient,
sourceAccountId,
roleToAssume,
roleExternalId,
roleDuration,
roleSessionName,
roleSkipSessionTagging,
webIdentityTokenFile,
webIdentityToken,
inlineSessionPolicy,
managedSessionPolicies,
});
}, !disableRetry, maxRetries);
let roleCredentials;
do {
// eslint-disable-next-line no-await-in-loop
roleCredentials = await (0, helpers_1.retryAndBackoff)(async () => {
return (0, assumeRole_1.assumeRole)({
credentialsClient,
sourceAccountId,
roleToAssume,
roleExternalId,
roleDuration,
roleSessionName,
roleSkipSessionTagging,
webIdentityTokenFile,
webIdentityToken,
inlineSessionPolicy,
managedSessionPolicies,
});
}, !disableRetry, maxRetries);
// eslint-disable-next-line no-unmodified-loop-condition
} while (specialCharacterWorkaround && !(0, helpers_1.verifyKeys)(roleCredentials.Credentials));
core.info(`Authenticated as assumedRoleId ${roleCredentials.AssumedRoleUser.AssumedRoleId}`);
(0, helpers_1.exportCredentials)(roleCredentials.Credentials, outputCredentials);
// We need to validate the credentials in 2 of our use-cases
@ -562,6 +579,7 @@ async function run() {
}
exports.run = run;
/* c8 ignore start */
/* istanbul ignore next */
if (require.main === require.cache[eval('__filename')]) {
(async () => {
await run();

5
src/assumeRole.ts
View file

@ -5,7 +5,7 @@ import * as core from '@actions/core';
import type { AssumeRoleCommandInput, STSClient, Tag } from '@aws-sdk/client-sts';
import { AssumeRoleCommand, AssumeRoleWithWebIdentityCommand } from '@aws-sdk/client-sts';
import type { CredentialsClient } from './CredentialsClient';
import { errorMessage, isDefined, sanitizeGitHubVariables, verifyKeys } from './helpers';
import { errorMessage, isDefined, sanitizeGitHubVariables } from './helpers';
async function assumeRoleWithOIDC(params: AssumeRoleCommandInput, client: STSClient, webIdentityToken: string) {
delete params.Tags;
@ -17,7 +17,6 @@ async function assumeRoleWithOIDC(params: AssumeRoleCommandInput, client: STSCli
WebIdentityToken: webIdentityToken,
})
);
verifyKeys(creds.Credentials);
return creds;
} catch (error) {
throw new Error(`Could not assume role with OIDC: ${errorMessage(error)}`);
@ -49,7 +48,6 @@ async function assumeRoleWithWebIdentityTokenFile(
WebIdentityToken: webIdentityToken,
})
);
verifyKeys(creds.Credentials);
return creds;
} catch (error) {
throw new Error(`Could not assume role with web identity token file: ${errorMessage(error)}`);
@ -60,7 +58,6 @@ async function assumeRoleWithCredentials(params: AssumeRoleCommandInput, client:
core.info('Assuming role with user credentials');
try {
const creds = await client.send(new AssumeRoleCommand({ ...params }));
verifyKeys(creds.Credentials);
return creds;
} catch (error) {
throw new Error(`Could not assume role with user credentials: ${errorMessage(error)}`);

9
src/helpers.ts
View file

@ -93,18 +93,21 @@ export function reset() {
export function verifyKeys(creds: Partial<Credentials> | undefined) {
if (!creds) {
return;
return false;
}
if (creds.AccessKeyId) {
if (SPECIAL_CHARS_REGEX.test(creds.AccessKeyId)) {
throw new Error('AccessKeyId contains special characters.');
core.debug('AccessKeyId contains special characters.');
return false;
}
}
if (creds.SecretAccessKey) {
if (SPECIAL_CHARS_REGEX.test(creds.SecretAccessKey)) {
throw new Error('SecretAccessKey contains special characters.');
core.debug('SecretAccessKey contains special characters.');
return false;
}
}
return true;
}
// Retries the promise with exponential backoff if the error isRetryable up to maxRetries time.

73
src/index.ts
View file

@ -1,4 +1,5 @@
import * as core from '@actions/core';
import type { AssumeRoleCommandOutput } from '@aws-sdk/client-sts';
import { assumeRole } from './assumeRole';
import { CredentialsClient } from './CredentialsClient';
import {
@ -8,6 +9,7 @@ import {
exportCredentials,
exportAccountId,
unsetCredentials,
verifyKeys,
} from './helpers';
const DEFAULT_ROLE_DURATION = 3600; // One hour (seconds)
@ -43,10 +45,20 @@ export async function run() {
const unsetCurrentCredentialsInput = core.getInput('unset-current-credentials', { required: false }) || 'false';
const unsetCurrentCredentials = unsetCurrentCredentialsInput.toLowerCase() === 'true';
const disableRetryInput = core.getInput('disable-retry', { required: false }) || 'false';
const disableRetry = disableRetryInput.toLowerCase() === 'true';
let disableRetry = disableRetryInput.toLowerCase() === 'true';
const specialCharacterWorkaroundInput =
core.getInput('special-characters-workaround', { required: false }) || 'false';
const specialCharacterWorkaround = specialCharacterWorkaroundInput.toLowerCase() === 'true';
let maxRetries = parseInt(core.getInput('retry-max-attempts', { required: false })) || 12;
if (maxRetries < 1) {
maxRetries = 1;
switch (true) {
case specialCharacterWorkaround:
// 😳
disableRetry = false;
maxRetries = 12;
break;
case maxRetries < 1:
maxRetries = 1;
break;
}
for (const managedSessionPolicy of managedSessionPoliciesInput) {
managedSessionPolicies.push({ arn: managedSessionPolicy });
@ -66,7 +78,8 @@ export async function run() {
!roleChaining
) {
core.info(
'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?'
'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission? ' +
'If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.'
);
}
return (
@ -115,11 +128,15 @@ export async function run() {
// the source credentials to already be masked as secrets
// in any error messages.
exportCredentials({ AccessKeyId, SecretAccessKey, SessionToken });
} else if (!webIdentityTokenFile && !roleChaining) {
} else if (
!webIdentityTokenFile &&
!roleChaining &&
!(process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])
) {
throw new Error('Could not determine how to assume credentials. Please check your inputs and try again.');
}
if (AccessKeyId || roleChaining) {
if (AccessKeyId || roleChaining || (process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) {
// Validate that the SDK can actually pick up credentials.
// This validates cases where this action is using existing environment credentials,
// and cases where the user intended to provide input credentials but the secrets inputs resolved to empty strings.
@ -129,25 +146,30 @@ export async function run() {
// Get role credentials if configured to do so
if (roleToAssume) {
const roleCredentials = await retryAndBackoff(
async () => {
return assumeRole({
credentialsClient,
sourceAccountId,
roleToAssume,
roleExternalId,
roleDuration,
roleSessionName,
roleSkipSessionTagging,
webIdentityTokenFile,
webIdentityToken,
inlineSessionPolicy,
managedSessionPolicies,
});
},
!disableRetry,
maxRetries
);
let roleCredentials: AssumeRoleCommandOutput;
do {
// eslint-disable-next-line no-await-in-loop
roleCredentials = await retryAndBackoff(
async () => {
return assumeRole({
credentialsClient,
sourceAccountId,
roleToAssume,
roleExternalId,
roleDuration,
roleSessionName,
roleSkipSessionTagging,
webIdentityTokenFile,
webIdentityToken,
inlineSessionPolicy,
managedSessionPolicies,
});
},
!disableRetry,
maxRetries
);
// eslint-disable-next-line no-unmodified-loop-condition
} while (specialCharacterWorkaround && !verifyKeys(roleCredentials.Credentials));
core.info(`Authenticated as assumedRoleId ${roleCredentials.AssumedRoleUser!.AssumedRoleId!}`);
exportCredentials(roleCredentials.Credentials, outputCredentials);
// We need to validate the credentials in 2 of our use-cases
@ -173,6 +195,7 @@ export async function run() {
}
/* c8 ignore start */
/* istanbul ignore next */
if (require.main === module) {
(async () => {
await run();

113
test/index.test.ts
View file

@ -519,13 +519,33 @@ describe('Configure AWS Credentials', () => {
await run();
expect(core.info).toHaveBeenCalledWith(
'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?'
'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?' +
' If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.'
);
expect(core.setFailed).toHaveBeenCalledWith(
'Could not determine how to assume credentials. Please check your inputs and try again.'
);
});
test('Assume role with existing credentials if nothing else set', async () => {
process.env['AWS_ACCESS_KEY_ID'] = FAKE_ACCESS_KEY_ID;
process.env['AWS_SECRET_ACCESS_KEY'] = FAKE_SECRET_ACCESS_KEY;
jest.spyOn(core, 'getInput').mockImplementation(
mockGetInput({
'role-to-assume': ROLE_ARN,
'aws-region': FAKE_REGION,
})
);
await run();
expect(core.info).toHaveBeenCalledWith(
'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?' +
' If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.'
);
expect(mockedSTS.commandCalls(AssumeRoleCommand).length).toEqual(1);
});
test('role assumption fails after maximum trials using OIDC provider', async () => {
process.env['GITHUB_ACTIONS'] = 'true';
process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = 'test-token';
@ -556,61 +576,62 @@ describe('Configure AWS Credentials', () => {
expect(mockedSTS.commandCalls(AssumeRoleWithWebIdentityCommand).length).toEqual(1);
});
test('role assumption fails if access key id contains special characters', async () => {
jest.spyOn(core, 'getInput').mockImplementation(mockGetInput({ ...ASSUME_ROLE_INPUTS }));
test('special character workaround works for AWS_ACCESS_KEY_ID', async () => {
jest
.spyOn(core, 'getInput')
.mockImplementation(mockGetInput({ ...ASSUME_ROLE_INPUTS, 'special-characters-workaround': 'true' }));
mockedSTS.on(AssumeRoleCommand).resolves({
Credentials: {
AccessKeyId: 'asdf+',
SecretAccessKey: FAKE_STS_SECRET_ACCESS_KEY,
SessionToken: FAKE_STS_SESSION_TOKEN,
Expiration: new Date(8640000000000000),
},
});
mockedSTS
.on(AssumeRoleCommand)
.resolvesOnce({
Credentials: {
AccessKeyId: FAKE_STS_ACCESS_KEY_ID,
SecretAccessKey: 'asdf+',
SessionToken: FAKE_STS_SESSION_TOKEN,
Expiration: new Date(8640000000000000),
},
})
.resolves({
Credentials: {
AccessKeyId: FAKE_STS_ACCESS_KEY_ID,
SecretAccessKey: 'asdf',
SessionToken: FAKE_STS_SESSION_TOKEN,
Expiration: new Date(8640000000000000),
},
});
await run();
expect(mockedSTS.commandCalls(AssumeRoleCommand).length).toEqual(12);
expect(core.setFailed).toHaveBeenCalledWith(
'Could not assume role with user credentials: AccessKeyId contains special characters.'
);
expect(mockedSTS.commandCalls(AssumeRoleCommand).length).toEqual(2);
});
test('role assumption fails if secret access key contains special characters', async () => {
jest.spyOn(core, 'getInput').mockImplementation(mockGetInput({ ...ASSUME_ROLE_INPUTS }));
test('special character workaround works for AWS_SECRET_ACCESS_KEY', async () => {
jest
.spyOn(core, 'getInput')
.mockImplementation(mockGetInput({ ...ASSUME_ROLE_INPUTS, 'special-characters-workaround': 'true' }));
mockedSTS.on(AssumeRoleCommand).resolves({
Credentials: {
AccessKeyId: FAKE_STS_ACCESS_KEY_ID,
SecretAccessKey: 'asdf+',
SessionToken: FAKE_STS_SESSION_TOKEN,
Expiration: new Date(8640000000000000),
},
});
mockedSTS
.on(AssumeRoleCommand)
.resolvesOnce({
Credentials: {
AccessKeyId: FAKE_STS_ACCESS_KEY_ID,
SecretAccessKey: 'asdf+',
SessionToken: FAKE_STS_SESSION_TOKEN,
Expiration: new Date(8640000000000000),
},
})
.resolves({
Credentials: {
AccessKeyId: FAKE_STS_ACCESS_KEY_ID,
SecretAccessKey: 'asdf',
SessionToken: FAKE_STS_SESSION_TOKEN,
Expiration: new Date(8640000000000000),
},
});
await run();
expect(mockedSTS.commandCalls(AssumeRoleCommand).length).toEqual(12);
expect(core.setFailed).toHaveBeenCalledWith(
'Could not assume role with user credentials: SecretAccessKey contains special characters.'
);
});
test('role assumption succeeds if keys have no special characters', async () => {
jest.spyOn(core, 'getInput').mockImplementation(mockGetInput({ ...ASSUME_ROLE_INPUTS }));
mockedSTS.on(AssumeRoleCommand).resolves({
Credentials: {
AccessKeyId: FAKE_STS_ACCESS_KEY_ID,
SecretAccessKey: FAKE_STS_SECRET_ACCESS_KEY,
SessionToken: FAKE_STS_SESSION_TOKEN,
Expiration: new Date(8640000000000000),
},
});
await run();
expect(mockedSTS.commandCalls(AssumeRoleCommand).length).toEqual(1);
expect(mockedSTS.commandCalls(AssumeRoleCommand).length).toEqual(2);
});
test('max retries is configurable', async () => {