diff --git a/README.md b/README.md index 5dbc3a6..4d2f969 100644 --- a/README.md +++ b/README.md @@ -623,15 +623,31 @@ For further information on OIDC and GitHub Actions, please see: - [GitHub docs: Configuring OpenID Connect in Amazon Web Services](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) - [GitHub changelog: GitHub Actions: Secure cloud deployments with OpenID Connect](https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/) -## Running in AWS Containers +## Getting Credentials in AWS Self-Hosted Runners -To run this action using self-hosted action runners on AWS Containers such as -Codebuild or EKS, you may need to set `role-chaining: true`. +If you are running GitHub Actions in a self-hosted runner using an AWS Service +(such as Codebuild or EKS) and you have properly configured the service, +credentials should be available by default; the AWS CLI will fetch credentials +using the AWS_CONTAINER_CREDENTIALS_FULL_URI or +AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables. However, you may +still want to use this action if you need to export those credentials for use +with other tools in your workflow. You may also want to use this action in +scenarios where you need to use that 'default' role to assume another role. -If you are using EKS and encountering an error related to the packed size of -session tags, set `role-skip-session-tagging: true`. Alternatively, you may +To export credentials, simply run the action with `role-to-assume` set to the +default role of the container. + +To assume another role from the container's default role, use the +`role-chaining: true` flag, so that the action fetches the default credentials +from the environment before assuming the other role. + +If you are using EKS Pod Identities and encountering an error related to the +packed size of session tags, you must either run the action with +`role-skip-session-tagging: true` to disable the tags set by the action, or [disable EKS session tagging][eks-disable-session-tagging] in the EKS settings -if you do not need those predefined tags. +to disable the tags that are automatically set by the EKS Pod Identity Service. +Check the values of the action's session tags and the session tags that are +added by EKS so you can keep the set of tags which is more useful to you. [eks-disable-session-tagging]: https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags diff --git a/action.yml b/action.yml index fbe5923..318c99d 100644 --- a/action.yml +++ b/action.yml @@ -34,7 +34,7 @@ inputs: description: Use the web identity token file from the provided file system path in order to assume an IAM role using a web identity, e.g. from within an Amazon EKS worker node. required: false role-chaining: - description: Use existing credentials from the environment to assume a new role, rather than providing credentials as input. This is sometimes useful when running on a self-hosted runner with container-sourced credentials. + description: Use existing credentials from the environment to assume a new role, rather than providing credentials as input. required: false audience: description: The audience to use for the OIDC provider diff --git a/src/assumeRole.ts b/src/assumeRole.ts index 6c91917..95f6bdc 100644 --- a/src/assumeRole.ts +++ b/src/assumeRole.ts @@ -108,9 +108,8 @@ const NON_DROPPABLE_TAG_SOURCES: ReadonlyArray<{ key: string; envVar: string }> { key: 'Branch', envVar: 'GITHUB_REF' }, ]; -// Convenience metadata. Will be dropped if session tag size is too large. -// Logic for dropping tags by priority has been removed; it seems unlikely that -// the limit of 50 tags will be hit without first hitting the size limit. +// Convenience metadata. If the AssumeRole call fails due to compressed size of +// session tags being too large, we will drop these tags and retry once. const DROPPABLE_TAG_SOURCES: ReadonlyArray<{ key: string; envVar: string }> = [ { key: 'EventName', envVar: 'GITHUB_EVENT_NAME' }, { key: 'BaseRef', envVar: 'GITHUB_BASE_REF' },