Compare commits
5 commits
main
...
kellerkt/c
| Author | SHA1 | Date | |
|---|---|---|---|
|
cc3d630aff | ||
|
|
4ad9baccc5 | ||
|
|
bdfbf63996 | ||
|
|
14656373f9 |
||
|
|
f85dec7edc |
4 changed files with 25 additions and 1 deletions
11
README.md
11
README.md
|
|
@ -168,6 +168,7 @@ detail.
|
||||||
| role-session-name | Defaults to "GitHubActions", but may be changed if required. | No |
|
| role-session-name | Defaults to "GitHubActions", but may be changed if required. | No |
|
||||||
| role-skip-session-tagging | Skips session tagging if set. | No |
|
| role-skip-session-tagging | Skips session tagging if set. | No |
|
||||||
| transitive-tag-keys | Define a list of transitive tag keys to pass when assuming a role. | No |
|
| transitive-tag-keys | Define a list of transitive tag keys to pass when assuming a role. | No |
|
||||||
|
| custom-tags | Additional tags to apply to the assumed role session. Must be a JSON object provided as a string. Custom tags are not usable with OIDC or web identity token authentication. | No |
|
||||||
| inline-session-policy | You may further restrict the assumed role policy by defining an inline policy here. | No |
|
| inline-session-policy | You may further restrict the assumed role policy by defining an inline policy here. | No |
|
||||||
| managed-session-policies | You may further restrict the assumed role policy by specifying a managed policy here. | No |
|
| managed-session-policies | You may further restrict the assumed role policy by specifying a managed policy here. | No |
|
||||||
| output-credentials | When set, outputs fetched credentials as action step output. (Outputs aws-access-key-id, aws-secret-access-key, aws-session-token, aws-account-id, authenticated-arn, and aws-expiration). Defaults to false. | No |
|
| output-credentials | When set, outputs fetched credentials as action step output. (Outputs aws-access-key-id, aws-secret-access-key, aws-session-token, aws-account-id, authenticated-arn, and aws-expiration). Defaults to false. | No |
|
||||||
|
|
@ -180,6 +181,8 @@ detail.
|
||||||
| allowed-account-ids | A comma-delimited list of expected AWS account IDs. The action will fail if we receive credentials for the wrong account. | No |
|
| allowed-account-ids | A comma-delimited list of expected AWS account IDs. The action will fail if we receive credentials for the wrong account. | No |
|
||||||
| force-skip-oidc | When set, the action will skip using GitHub OIDC provider even if the id-token permission is set. | No |
|
| force-skip-oidc | When set, the action will skip using GitHub OIDC provider even if the id-token permission is set. | No |
|
||||||
| action-timeout-s | Global timeout for the action in seconds. If set to a value greater than 0, the action will fail if it takes longer than this time to complete. | No |
|
| action-timeout-s | Global timeout for the action in seconds. If set to a value greater than 0, the action will fail if it takes longer than this time to complete. | No |
|
||||||
|
| no-proxy | Hosts to skip for the proxy configuration. | No |
|
||||||
|
| sts-endpoint | Custom STS endpoint URL. Use this to point to an STS-compatible API (e.g. MinIO, LocalStack) instead of the default AWS STS endpoint for the region. | No |
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
|
@ -617,6 +620,14 @@ For further information on OIDC and GitHub Actions, please see:
|
||||||
- [GitHub docs: Configuring OpenID Connect in Amazon Web Services](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
|
- [GitHub docs: Configuring OpenID Connect in Amazon Web Services](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
|
||||||
- [GitHub changelog: GitHub Actions: Secure cloud deployments with OpenID Connect](https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/)
|
- [GitHub changelog: GitHub Actions: Secure cloud deployments with OpenID Connect](https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/)
|
||||||
|
|
||||||
|
## Running in AWS Containers
|
||||||
|
|
||||||
|
To run this action using self-hosted action runners on AWS Containers such as
|
||||||
|
Codebuild or EKS, you may need to set `role-chaining: true`.
|
||||||
|
|
||||||
|
If you are using EKS and encountering an error related to the packed size of
|
||||||
|
session tags, set `role-skip-session-tagging: true`.
|
||||||
|
|
||||||
## Compatibility with non-GitHub Actions environments
|
## Compatibility with non-GitHub Actions environments
|
||||||
|
|
||||||
This action has been sucessfully tested with
|
This action has been sucessfully tested with
|
||||||
|
|
|
||||||
|
|
@ -34,7 +34,7 @@ inputs:
|
||||||
description: Use the web identity token file from the provided file system path in order to assume an IAM role using a web identity, e.g. from within an Amazon EKS worker node.
|
description: Use the web identity token file from the provided file system path in order to assume an IAM role using a web identity, e.g. from within an Amazon EKS worker node.
|
||||||
required: false
|
required: false
|
||||||
role-chaining:
|
role-chaining:
|
||||||
description: Use existing credentials from the environment to assume a new role, rather than providing credentials as input.
|
description: Use existing credentials from the environment to assume a new role, rather than providing credentials as input. This is sometimes useful when running on a self-hosted runner with container-sourced credentials.
|
||||||
required: false
|
required: false
|
||||||
audience:
|
audience:
|
||||||
description: The audience to use for the OIDC provider
|
description: The audience to use for the OIDC provider
|
||||||
|
|
|
||||||
|
|
@ -42,6 +42,7 @@ async function assumeRoleWithWebIdentityTokenFile(
|
||||||
core.info('Assuming role with web identity token file');
|
core.info('Assuming role with web identity token file');
|
||||||
try {
|
try {
|
||||||
delete params.Tags;
|
delete params.Tags;
|
||||||
|
delete params.TransitiveTagKeys;
|
||||||
const creds = await client.send(
|
const creds = await client.send(
|
||||||
new AssumeRoleWithWebIdentityCommand({
|
new AssumeRoleWithWebIdentityCommand({
|
||||||
...params,
|
...params,
|
||||||
|
|
|
||||||
|
|
@ -202,6 +202,18 @@ describe('Configure AWS Credentials', {}, () => {
|
||||||
expect(core.setOutput).toHaveBeenCalledTimes(2);
|
expect(core.setOutput).toHaveBeenCalledTimes(2);
|
||||||
expect(core.setFailed).not.toHaveBeenCalled();
|
expect(core.setFailed).not.toHaveBeenCalled();
|
||||||
});
|
});
|
||||||
|
it('does not send Tags or TransitiveTagKeys to AssumeRoleWithWebIdentity', async () => {
|
||||||
|
// AssumeRoleWithWebIdentity reads session tags from JWT claims, not the request.
|
||||||
|
// Both fields must be stripped before the STS call.
|
||||||
|
vi.mocked(core.getMultilineInput).mockImplementation((name: string) => {
|
||||||
|
if (name === 'transitive-tag-keys') return ['Repository'];
|
||||||
|
return [];
|
||||||
|
});
|
||||||
|
await run();
|
||||||
|
const callInput = mockedSTSClient.commandCalls(AssumeRoleWithWebIdentityCommand)[0].args[0].input;
|
||||||
|
expect(callInput.Tags).toBeUndefined();
|
||||||
|
expect(callInput.TransitiveTagKeys).toBeUndefined();
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
describe('Assume existing role', {}, () => {
|
describe('Assume existing role', {}, () => {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue