From b0d77b694c1be2b9a0ba09548e203736e4a5a3c2 Mon Sep 17 00:00:00 2001 From: Tom Keller Date: Thu, 28 May 2026 12:31:40 -0700 Subject: [PATCH] Revert "chore: document container credentials provider support (and delete transitive tags in AssumeRoleWithWebIdentity) (#1780)" This reverts commit 77cd089899db691aca656a40c5feca6f9ffd1a6c. --- README.md | 11 ----------- action.yml | 2 +- src/assumeRole.ts | 1 - test/index.test.ts | 12 ------------ 4 files changed, 1 insertion(+), 25 deletions(-) diff --git a/README.md b/README.md index 71358ed..df38357 100644 --- a/README.md +++ b/README.md @@ -168,7 +168,6 @@ detail. | role-session-name | Defaults to "GitHubActions", but may be changed if required. | No | | role-skip-session-tagging | Skips session tagging if set. | No | | transitive-tag-keys | Define a list of transitive tag keys to pass when assuming a role. | No | -| custom-tags | Additional tags to apply to the assumed role session. Must be a JSON object provided as a string. Custom tags are not usable with OIDC or web identity token authentication. | No | | inline-session-policy | You may further restrict the assumed role policy by defining an inline policy here. | No | | managed-session-policies | You may further restrict the assumed role policy by specifying a managed policy here. | No | | output-credentials | When set, outputs fetched credentials as action step output. (Outputs aws-access-key-id, aws-secret-access-key, aws-session-token, aws-account-id, authenticated-arn, and aws-expiration). Defaults to false. | No | @@ -181,8 +180,6 @@ detail. | allowed-account-ids | A comma-delimited list of expected AWS account IDs. The action will fail if we receive credentials for the wrong account. | No | | force-skip-oidc | When set, the action will skip using GitHub OIDC provider even if the id-token permission is set. | No | | action-timeout-s | Global timeout for the action in seconds. If set to a value greater than 0, the action will fail if it takes longer than this time to complete. | No | -| no-proxy | Hosts to skip for the proxy configuration. | No | -| sts-endpoint | Custom STS endpoint URL. Use this to point to an STS-compatible API (e.g. MinIO, LocalStack) instead of the default AWS STS endpoint for the region. | No | @@ -620,14 +617,6 @@ For further information on OIDC and GitHub Actions, please see: - [GitHub docs: Configuring OpenID Connect in Amazon Web Services](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) - [GitHub changelog: GitHub Actions: Secure cloud deployments with OpenID Connect](https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/) -## Running in AWS Containers - -To run this action using self-hosted action runners on AWS Containers such as -Codebuild or EKS, you may need to set `role-chaining: true`. - -If you are using EKS and encountering an error related to the packed size of -session tags, set `role-skip-session-tagging: true`. - ## Compatibility with non-GitHub Actions environments This action has been sucessfully tested with diff --git a/action.yml b/action.yml index fbe5923..318c99d 100644 --- a/action.yml +++ b/action.yml @@ -34,7 +34,7 @@ inputs: description: Use the web identity token file from the provided file system path in order to assume an IAM role using a web identity, e.g. from within an Amazon EKS worker node. required: false role-chaining: - description: Use existing credentials from the environment to assume a new role, rather than providing credentials as input. This is sometimes useful when running on a self-hosted runner with container-sourced credentials. + description: Use existing credentials from the environment to assume a new role, rather than providing credentials as input. required: false audience: description: The audience to use for the OIDC provider diff --git a/src/assumeRole.ts b/src/assumeRole.ts index b0b222a..ebf27a6 100644 --- a/src/assumeRole.ts +++ b/src/assumeRole.ts @@ -42,7 +42,6 @@ async function assumeRoleWithWebIdentityTokenFile( core.info('Assuming role with web identity token file'); try { delete params.Tags; - delete params.TransitiveTagKeys; const creds = await client.send( new AssumeRoleWithWebIdentityCommand({ ...params, diff --git a/test/index.test.ts b/test/index.test.ts index 93f6abe..3970951 100644 --- a/test/index.test.ts +++ b/test/index.test.ts @@ -202,18 +202,6 @@ describe('Configure AWS Credentials', {}, () => { expect(core.setOutput).toHaveBeenCalledTimes(2); expect(core.setFailed).not.toHaveBeenCalled(); }); - it('does not send Tags or TransitiveTagKeys to AssumeRoleWithWebIdentity', async () => { - // AssumeRoleWithWebIdentity reads session tags from JWT claims, not the request. - // Both fields must be stripped before the STS call. - vi.mocked(core.getMultilineInput).mockImplementation((name: string) => { - if (name === 'transitive-tag-keys') return ['Repository']; - return []; - }); - await run(); - const callInput = mockedSTSClient.commandCalls(AssumeRoleWithWebIdentityCommand)[0].args[0].input; - expect(callInput.Tags).toBeUndefined(); - expect(callInput.TransitiveTagKeys).toBeUndefined(); - }); }); describe('Assume existing role', {}, () => {