a7f0c828ac* Support usage of AWS Profiles
* squash merge main updates w feature branch
Squashed commit of the following:
commit ef2df4679f908ff30d5a711258ace2fa906c4bf3
Author: Michael Lehmann <lehmanmj@amazon.com>
Date: Tue Mar 17 11:24:04 2026 -0700
dist update
commit db3779a0e9
Author: Jan Feddern <jf@novatec-gmbh.de>
Date: Sun Dec 21 11:28:36 2025 +0100
Support usage of AWS Profiles
* chore: Update dist
* consistent outputEnvCredentials
* take out tests temporarily
* chore: Update dist
* debug changes for static creds
* remove debug and only cleanup profile if it was set
* formatting fixes + remove profile from cleanup test
* feat: Support usage of AWS Profiles
Adds a config option to support writing to profile files instead of
exporting environment variables.
Closes #1594. Closes #1586. Closes #112.
* chore: fix failing test case and windows path
* chore: lint project markdown files
* chore: update scripts in package.json and tsconfig update
* make env vars consistent, readme linting
* debug for profile path env vars
* remove debug
* remove profile backups
* error if we try to overwrite
* add option to overwrite existing profiles
* tests for overwrite option
* default to no env vars
* remove default from action file
* add static credential env var support
* validation fix for static creds multi profile
* debug sleep for static creds validation
* wait syntax
* undo sleep for creds validate
* test coverage, readme/action yml updates, validate creds later on self-hosted runner
* security dependency updates
* chore(deps-dev): bump @biomejs/biome from 2.4.8 to 2.4.10 (#1709)
Bumps [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) from 2.4.8 to 2.4.10.
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.4.10/packages/@biomejs/biome)
---
updated-dependencies:
- dependency-name: "@biomejs/biome"
dependency-version: 2.4.10
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps-dev): bump @aws-sdk/credential-provider-env (#1713)
Bumps [@aws-sdk/credential-provider-env](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/packages-internal/credential-provider-env) from 3.972.22 to 3.972.24.
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases)
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/packages-internal/credential-provider-env/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/HEAD/packages-internal/credential-provider-env)
---
updated-dependencies:
- dependency-name: "@aws-sdk/credential-provider-env"
dependency-version: 3.972.24
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore: Update dist
* chore(deps): bump @aws-sdk/client-sts from 3.1015.0 to 3.1020.0 (#1710)
Bumps [@aws-sdk/client-sts](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-sts) from 3.1015.0 to 3.1020.0.
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases)
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-sts/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1020.0/clients/client-sts)
---
updated-dependencies:
- dependency-name: "@aws-sdk/client-sts"
dependency-version: 3.1020.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore: Update dist
* fix: do not write empty profile files
Also cleanup fix, additional test, README typo cleanup
* linting fix
* chore: linting fix
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Jan Feddern <jf@novatec-gmbh.de>
Co-authored-by: Michael Lehmann <lehmanmj@amazon.com>
Co-authored-by: GitHub Actions <github-aws-sdk-osds-automation@amazon.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
281 lines
9.8 KiB
YAML
281 lines
9.8 KiB
YAML
name: Run pre-release integ tests
|
|
on:
|
|
pull_request_target:
|
|
workflow_dispatch:
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
oidc:
|
|
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }}
|
|
permissions:
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [windows-latest, ubuntu-latest, macos-latest]
|
|
runs-on: ${{ matrix.os }}
|
|
name: OIDC login test
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: Configure AWS credentials
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.OIDC_integ_role }}
|
|
- name: Get Caller Identity
|
|
run: |
|
|
aws sts get-caller-identity
|
|
|
|
#can cut this test out if it's not necessary
|
|
static_assumeRole:
|
|
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }}
|
|
permissions:
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [windows-latest, ubuntu-latest, macos-latest]
|
|
runs-on: ${{ matrix.os }}
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
name: Static IAM creds test
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: assume creator Role
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.STATIC_USER_CREATION_ROLE }}
|
|
- name: create and mask access key
|
|
id: create-key
|
|
run: |
|
|
AK_OUTPUT=$(aws iam create-access-key --user-name integ-test-static-user-${{ runner.os }})
|
|
AK_ID=$(echo $AK_OUTPUT | jq -r '.AccessKey.AccessKeyId')
|
|
SECRET_AK=$(echo $AK_OUTPUT | jq -r '.AccessKey.SecretAccessKey')
|
|
echo "::add-mask::$AK_ID"
|
|
echo "::add-mask::$SECRET_AK"
|
|
echo "STATIC_ACCESS_KEY_ID=$AK_ID" >> $GITHUB_OUTPUT
|
|
echo "STATIC_SECRET_ACCESS_KEY=$SECRET_AK" >> $GITHUB_OUTPUT
|
|
- name: sleep so key can propagate
|
|
run: sleep 30
|
|
- name: assume role with static creds
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.STATIC_TEST_TARGET_ROLE }}
|
|
aws-access-key-id: ${{ steps.create-key.outputs.STATIC_ACCESS_KEY_ID }}
|
|
aws-secret-access-key: ${{ steps.create-key.outputs.STATIC_SECRET_ACCESS_KEY }}
|
|
- name: check account
|
|
run: aws sts get-caller-identity
|
|
- name: log back into creator role
|
|
if: success() || failure()
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.STATIC_USER_CREATION_ROLE }}
|
|
- name: delete access key
|
|
if: success() || failure()
|
|
run: |
|
|
aws iam delete-access-key --user-name integ-test-static-user-${{ runner.os }} --access-key-id ${{ steps.create-key.outputs.STATIC_ACCESS_KEY_ID }}
|
|
|
|
role_chaining:
|
|
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }}
|
|
permissions:
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [windows-latest, ubuntu-latest, macos-latest]
|
|
runs-on: ${{ matrix.os }}
|
|
name: Existing Creds + Role Chaining test
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: Configure AWS credentials
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.ROLE_chaining_1 }}
|
|
- name: Get Caller Identity
|
|
run: |
|
|
aws sts get-caller-identity
|
|
- name: assume second role
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.ROLE_chaining_2 }}
|
|
role-chaining: true
|
|
- name: get caller identity
|
|
run: |
|
|
aws sts get-caller-identity
|
|
|
|
inline_policy:
|
|
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }}
|
|
permissions:
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest]
|
|
runs-on: ${{ matrix.os }}
|
|
name: Inline Policy Test
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: get creds w scoped down policy
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.INLINE_policy_role }}
|
|
inline-session-policy: '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"}]}'
|
|
|
|
#NOTE: This step should succeed. The role should have permission only to list all buckets.
|
|
- name: list buckets
|
|
run: aws s3 ls > /dev/null
|
|
|
|
#NOTE: This step should fail. we don't want the role to have permission to see the bucket contents.
|
|
- name: try to list bucket contents
|
|
id: bucketContentsStep
|
|
continue-on-error: true
|
|
run: aws s3 ls s3://cawsc-integ-tests-bucket > /dev/null
|
|
|
|
#But the test fails if we could list the bucket contents.
|
|
- name: fail if we can list bucket contents
|
|
if: steps.bucketContentsStep.outcome == 'success'
|
|
run: exit 1
|
|
|
|
http-proxy:
|
|
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }}
|
|
permissions:
|
|
id-token: write
|
|
runs-on: ubuntu-latest
|
|
name: HTTP Proxy Test
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: install tinyproxy
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get -y install tinyproxy
|
|
- name: start tinyproxy
|
|
run: tinyproxy -c .github/integ_tests/tinyproxy.conf
|
|
- name: Configure AWS credentials
|
|
continue-on-error: true
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.OIDC_integ_role }}
|
|
http-proxy: http://127.0.0.1:9999
|
|
retry-max-attempts: 4
|
|
- name: checkout logs
|
|
run: cat integ_proxy_log.txt
|
|
- name: check logs to see if successful call
|
|
run: grep -q "Request" integ_proxy_log.txt && echo "PROXY_CALL_LOGGED=1" >> $GITHUB_ENV || echo "PROXY_CALL_LOGGED=0" >> $GITHUB_ENV
|
|
- name: fail job if bad call
|
|
if: ${{ env.PROXY_CALL_LOGGED != 1 }}
|
|
run: exit 1
|
|
|
|
token-file:
|
|
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }}
|
|
permissions:
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [windows-latest, ubuntu-latest, macos-latest]
|
|
runs-on: ${{ matrix.os }}
|
|
name: Token File Test
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: fetch token and write to file
|
|
uses: actions/github-script@v8
|
|
with:
|
|
script: |
|
|
const fs = require('fs');
|
|
async function getIDTokenAction() {
|
|
const id_token = await core.getIDToken("sts.amazonaws.com");
|
|
return id_token;
|
|
}
|
|
const idToken = await getIDTokenAction();
|
|
fs.writeFileSync(".github/integ_tests/integ_token.txt", idToken, (err) => {
|
|
if (err) throw err;
|
|
});
|
|
- name: get creds with that file
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.OIDC_integ_role }}
|
|
web-identity-token-file: .github/integ_tests/integ_token.txt
|
|
retry-max-attempts: 4
|
|
- name: check creds
|
|
run: aws sts get-caller-identity
|
|
|
|
profile-oidc:
|
|
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }}
|
|
permissions:
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [windows-latest, ubuntu-latest, macos-latest]
|
|
runs-on: ${{ matrix.os }}
|
|
name: OIDC profile writing test
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
|
|
- name: make profile 1
|
|
uses: ./
|
|
with:
|
|
aws-region: us-east-1
|
|
role-to-assume: ${{ secrets.INTEG_PROFILE_ROLE_1 }}
|
|
aws-profile: TestProfile1
|
|
|
|
- name: make profile 2
|
|
uses: ./
|
|
with:
|
|
aws-region: us-east-2
|
|
role-to-assume: ${{ secrets.INTEG_PROFILE_ROLE_2 }}
|
|
aws-profile: TestProfile2
|
|
|
|
- name: check profile1
|
|
run: aws sts get-caller-identity --profile TestProfile1
|
|
|
|
- name: check profile2
|
|
run: aws sts get-caller-identity --profile TestProfile2
|
|
|
|
- name: Get Caller Identity
|
|
id: no-creds-sts-step
|
|
continue-on-error: true
|
|
run: |
|
|
aws sts get-caller-identity
|
|
|
|
- name: fail if we got caller id with env creds
|
|
if: steps.no-creds-sts-step.outcome == 'success'
|
|
run: exit 1
|