From dee935fabb5ed64320225e44e6f880bd4c8a5b15 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Fri, 6 Mar 2020 18:00:07 +0000 Subject: [PATCH] chore: Update dist --- dist/index.js | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/dist/index.js b/dist/index.js index da17bd4..fc1e81c 100644 --- a/dist/index.js +++ b/dist/index.js @@ -268,8 +268,8 @@ function getStsClient(region) { async function run() { try { // Get inputs - const accessKeyId = core.getInput('aws-access-key-id', { required: true }); - const secretAccessKey = core.getInput('aws-secret-access-key', { required: true }); + const accessKeyId = core.getInput('aws-access-key-id', { required: false }); + const secretAccessKey = core.getInput('aws-secret-access-key', { required: false }); const region = core.getInput('aws-region', { required: true }); const sessionToken = core.getInput('aws-session-token', { required: false }); const maskAccountId = core.getInput('mask-aws-account-id', { required: false }); @@ -278,13 +278,21 @@ async function run() { const roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || MAX_ACTION_RUNTIME; const roleSessionName = core.getInput('role-session-name', { required: false }) || ROLE_SESSION_NAME; + exportRegion(region); + // Always export the source credentials and account ID. // The STS client for calling AssumeRole pulls creds from the environment. // Plus, in the assume role case, if the AssumeRole call fails, we want // the source credentials and accound ID to already be masked as secrets // in any error messages. - exportRegion(region); - exportCredentials({accessKeyId, secretAccessKey, sessionToken}); + if (accessKeyId) { + if (!secretAccessKey) { + throw new Error("'aws-secret-access-key' must be provided if 'aws-access-key-id' is provided"); + } + + exportCredentials({accessKeyId, secretAccessKey, sessionToken}); + } + const sourceAccountId = await exportAccountId(maskAccountId, region); // Get role credentials if configured to do so