From f85dec7edc19466dd8d98ace3a75610a3cd8acf5 Mon Sep 17 00:00:00 2001 From: Tom Keller Date: Thu, 14 May 2026 15:35:29 -0700 Subject: [PATCH] feat: container credentials provider support Closes #1546 Adds initial support for the container credentials provider. When used with the force-skip-oidc flag, allows ECS/CodeBuild to be used as a source. This was supported by the SDK but our pre run checks did not consider it a valid credential source. --- action.yml | 2 +- src/assumeRole.ts | 1 + src/index.ts | 14 +++++++-- test/index.test.ts | 77 +++++++++++++++++++++++++++++++++++++++++++++- 4 files changed, 90 insertions(+), 4 deletions(-) diff --git a/action.yml b/action.yml index 318c99d..fba8ae1 100644 --- a/action.yml +++ b/action.yml @@ -96,7 +96,7 @@ inputs: description: An option comma-delimited list of expected AWS account IDs. The action will fail if we receive credentials for the wrong account. force-skip-oidc: required: false - description: When enabled, this option will skip using GitHub OIDC provider even if the id-token permission is set. This is sometimes useful when using IAM instance credentials. + description: When enabled, this option will skip using GitHub OIDC provider even if the id-token permission is set. This is sometimes useful when using IAM instance credentials, or when running on a self-hosted runner with container-sourced credentials. action-timeout-s: required: false description: A global timeout in seconds for the action. When the timeout is reached, the action immediately exits. The default is to run without a timeout. diff --git a/src/assumeRole.ts b/src/assumeRole.ts index 700532b..33975f2 100644 --- a/src/assumeRole.ts +++ b/src/assumeRole.ts @@ -43,6 +43,7 @@ async function assumeRoleWithWebIdentityTokenFile( try { const webIdentityToken = fs.readFileSync(webIdentityTokenFilePath, 'utf8'); delete params.Tags; + delete params.TransitiveTagKeys; const creds = await client.send( new AssumeRoleWithWebIdentityCommand({ ...params, diff --git a/src/index.ts b/src/index.ts index 2153a32..00b91ef 100644 --- a/src/index.ts +++ b/src/index.ts @@ -77,12 +77,22 @@ export async function run() { }, globalTimeout * 1000); } - if (forceSkipOidc && roleToAssume && !AccessKeyId && !webIdentityTokenFile) { + // Container-sourced credentials are exposed by the AWS SDK default chain via these env vars. They count as a valid + // non-OIDC source for the force-skip-oidc guard. + const hasContainerCredentials = !!( + process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI || process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI + ); + + if (forceSkipOidc && roleToAssume && !AccessKeyId && !webIdentityTokenFile && !hasContainerCredentials) { throw new Error( - "If 'force-skip-oidc' is true and 'role-to-assume' is set, 'aws-access-key-id' or 'web-identity-token-file' must be set", + "If 'force-skip-oidc' is true and 'role-to-assume' is set, 'aws-access-key-id', 'web-identity-token-file', or container credentials must be available", ); } + if (forceSkipOidc && hasContainerCredentials && !AccessKeyId && !webIdentityTokenFile) { + core.info('Using container credentials from AWS_CONTAINER_CREDENTIALS_* environment variables'); + } + if (specialCharacterWorkaround) { // 😳 disableRetry = false; diff --git a/test/index.test.ts b/test/index.test.ts index 3970951..8ebe526 100644 --- a/test/index.test.ts +++ b/test/index.test.ts @@ -202,6 +202,18 @@ describe('Configure AWS Credentials', {}, () => { expect(core.setOutput).toHaveBeenCalledTimes(2); expect(core.setFailed).not.toHaveBeenCalled(); }); + it('does not send Tags or TransitiveTagKeys to AssumeRoleWithWebIdentity', async () => { + // AssumeRoleWithWebIdentity reads session tags from JWT claims, not the request. + // Both fields must be stripped before the STS call. + vi.mocked(core.getMultilineInput).mockImplementation((name: string) => { + if (name === 'transitive-tag-keys') return ['Repository']; + return []; + }); + await run(); + const callInput = mockedSTSClient.commandCalls(AssumeRoleWithWebIdentityCommand)[0].args[0].input; + expect(callInput.Tags).toBeUndefined(); + expect(callInput.TransitiveTagKeys).toBeUndefined(); + }); }); describe('Assume existing role', {}, () => { @@ -731,7 +743,70 @@ describe('Configure AWS Credentials', {}, () => { await run(); expect(core.setFailed).toHaveBeenCalledWith( - "If 'force-skip-oidc' is true and 'role-to-assume' is set, 'aws-access-key-id' or 'web-identity-token-file' must be set", + "If 'force-skip-oidc' is true and 'role-to-assume' is set, 'aws-access-key-id', 'web-identity-token-file', or container credentials must be available", + ); + }); + + it('uses container credentials with force-skip-oidc and role-to-assume (CodeBuild/ECS runner, #1546)', async () => { + vi.mocked(core.getInput).mockImplementation( + mocks.getInput({ + 'role-to-assume': 'arn:aws:iam::111111111111:role/MY-ROLE', + 'aws-region': 'fake-region-1', + 'force-skip-oidc': 'true', + }), + ); + vi.mocked(core.getIDToken).mockResolvedValue('testoidctoken'); + mockedSTSClient.on(AssumeRoleCommand).resolves(mocks.outputs.STS_CREDENTIALS); + mockedSTSClient.on(GetCallerIdentityCommand).resolves({ ...mocks.outputs.GET_CALLER_IDENTITY }); + // Simulate the container-metadata creds the SDK would pull from 169.254.170.2. + // biome-ignore lint/suspicious/noExplicitAny: any required to mock private method + vi.spyOn(CredentialsClient.prototype as any, 'loadCredentials').mockResolvedValue({ + accessKeyId: 'CONTAINERAWSACCESSKEYID', + }); + process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'fake-token'; + process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI = '/v2/credentials/abc-123'; + + await run(); + expect(core.getIDToken).not.toHaveBeenCalled(); + expect(core.info).toHaveBeenCalledWith( + 'Using container credentials from AWS_CONTAINER_CREDENTIALS_* environment variables', + ); + expect(core.info).toHaveBeenCalledWith('Assuming role with user credentials'); + expect(core.setFailed).not.toHaveBeenCalled(); + }); + + it('uses container credentials via AWS_CONTAINER_CREDENTIALS_FULL_URI', async () => { + vi.mocked(core.getInput).mockImplementation( + mocks.getInput({ + 'role-to-assume': 'arn:aws:iam::111111111111:role/MY-ROLE', + 'aws-region': 'fake-region-1', + 'force-skip-oidc': 'true', + }), + ); + mockedSTSClient.on(AssumeRoleCommand).resolves(mocks.outputs.STS_CREDENTIALS); + mockedSTSClient.on(GetCallerIdentityCommand).resolves({ ...mocks.outputs.GET_CALLER_IDENTITY }); + // biome-ignore lint/suspicious/noExplicitAny: any required to mock private method + vi.spyOn(CredentialsClient.prototype as any, 'loadCredentials').mockResolvedValue({ + accessKeyId: 'CONTAINERAWSACCESSKEYID', + }); + process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI = 'http://169.254.170.23/credentials'; + + await run(); + expect(core.setFailed).not.toHaveBeenCalled(); + }); + + it('still errors when container env vars are absent and no other creds are provided', async () => { + vi.mocked(core.getInput).mockImplementation( + mocks.getInput({ + 'role-to-assume': 'arn:aws:iam::111111111111:role/MY-ROLE', + 'aws-region': 'fake-region-1', + 'force-skip-oidc': 'true', + }), + ); + // Neither AWS_CONTAINER_CREDENTIALS_RELATIVE_URI nor _FULL_URI is set (mocks.envs has neither). + await run(); + expect(core.setFailed).toHaveBeenCalledWith( + expect.stringContaining("'aws-access-key-id', 'web-identity-token-file', or container credentials"), ); });