forked from mcblair/configure-aws-profile-action
-
Notifications
You must be signed in to change notification settings - Fork 1
/
action.yml
167 lines (157 loc) · 7.96 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: Configure Multiple AWS Roles
description: Drop-in replacement for aws-actions/configure-aws-credentials with additional features to configure multiple AWS roles.
branding:
icon: "cloud"
color: "orange"
inputs:
# Additional inputs vs aws-actions/configure-aws-credentials@v4
profile:
required: false
description: Name of profile to be created
default: "default"
only-profile:
description: Whether to unset credentials in the environment after writing to the profile. May be useful if you run this action multiple times in the same job
default: "false"
required: false
whoami:
description: Whether to run `aws sts get-caller-identity` after configuring the profile
default: "false"
required: false
# Copied from aws-actions/configure-aws-credentials@v4
aws-region:
description: AWS Region, e.g. us-east-2
required: true
role-to-assume:
description: The Amazon Resource Name (ARN) of the role to assume. Use the provided credentials to assume an IAM role and configure the Actions environment with the assumed role credentials rather than with the provided credentials.
required: false
aws-access-key-id:
description: AWS Access Key ID. Provide this key if you want to assume a role using access keys rather than a web identity token.
required: false
aws-secret-access-key:
description: AWS Secret Access Key. Required if aws-access-key-id is provided.
required: false
aws-session-token:
description: AWS Session Token.
required: false
web-identity-token-file:
description: Use the web identity token file from the provided file system path in order to assume an IAM role using a web identity, e.g. from within an Amazon EKS worker node.
required: false
role-chaining:
description: Use existing credentials from the environment to assume a new role, rather than providing credentials as inputs.
required: false
audience:
description: The audience to use for the OIDC provider
required: false
default: sts.amazonaws.com
http-proxy:
description: Proxy to use for the AWS SDK agent
required: false
mask-aws-account-id:
description: Whether to mask the AWS account ID for these credentials as a secret value. By default the account ID will not be masked
required: false
role-duration-seconds:
description: Role duration in seconds. Default is one hour.
required: false
role-external-id:
description: The external ID of the role to assume.
required: false
role-session-name:
description: "Role session name (default: GitHubActions)"
required: false
role-skip-session-tagging:
description: Skip session tagging during role assumption
required: false
inline-session-policy:
description: Define an inline session policy to use when assuming a role
required: false
managed-session-policies:
description: Define a list of managed session policies to use when assuming a role
required: false
# output-credentials:
# description: Whether to set credentials as step output
# required: false
unset-current-credentials:
description: Whether to unset the existing credentials in your runner. May be useful if you run this action multiple times in the same job
required: false
default: "true" # Setting to true by default as recommended by the official action if called multiple times in the same job
disable-retry:
description: Whether to disable the retry and backoff mechanism when the assume role call fails. By default the retry mechanism is enabled
required: false
retry-max-attempts:
description: The maximum number of attempts it will attempt to retry the assume role call. By default it will retry 12 times
required: false
special-characters-workaround:
description: Some environments do not support special characters in AWS_SECRET_ACCESS_KEY. This option will retry fetching credentials until the secret access key does not contain special characters. This option overrides disable-retry and retry-max-attempts. This option is disabled by default
required: false
outputs:
aws-account-id:
description: The AWS account ID for the provided credentials
value: ${{ steps.aws-credentials.outputs.aws-account-id }}
aws-access-key-id:
description: The AWS access key ID for the provided credentials
value: ${{ steps.aws-credentials.outputs.aws-access-key-id }}
aws-secret-access-key:
description: The AWS secret access key for the provided credentials
value: ${{ steps.aws-credentials.outputs.aws-secret-access-key }}
aws-session-token:
description: The AWS session token for the provided credentials
value: ${{ steps.aws-credentials.outputs.aws-session-token }}
# Adding this output just in case someone needs it, it's the same as the input anyways
profile:
description: The name of the profile that was configured
value: ${{ steps.save-to-profile.outputs.profile }}
runs:
using: composite
steps:
- name: Get AWS Credentials
id: aws-credentials
uses: aws-actions/configure-aws-credentials@v4
with:
output-credentials: true
aws-region: ${{ inputs.aws-region }}
role-to-assume: ${{ inputs.role-to-assume }}
aws-access-key-id: ${{ inputs.aws-access-key-id }}
aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
aws-session-token: ${{ inputs.aws-session-token }}
web-identity-token-file: ${{ inputs.web-identity-token-file }}
role-chaining: ${{ inputs.role-chaining }}
audience: ${{ inputs.audience }}
http-proxy: ${{ inputs.http-proxy }}
mask-aws-account-id: ${{ inputs.mask-aws-account-id }}
role-duration-seconds: ${{ inputs.role-duration-seconds }}
role-external-id: ${{ inputs.role-external-id }}
role-session-name: ${{ inputs.role-session-name }}
role-skip-session-tagging: ${{ inputs.role-skip-session-tagging }}
inline-session-policy: ${{ inputs.inline-session-policy }}
managed-session-policies: ${{ inputs.managed-session-policies }}
unset-current-credentials: ${{ inputs.unset-current-credentials }}
disable-retry: ${{ inputs.disable-retry }}
retry-max-attempts: ${{ inputs.retry-max-attempts }}
special-characters-workaround: ${{ inputs.special-characters-workaround }}
- name: Save to Profile
id: save-to-profile
shell: bash
run: |
echo "Configuring AWS Profile ${{ inputs.profile }}"
aws configure set --profile ${{ inputs.profile }} region ${{ inputs.aws-region }}
aws configure set --profile ${{ inputs.profile }} aws_access_key_id ${{ steps.aws-credentials.outputs.aws-access-key-id }}
aws configure set --profile ${{ inputs.profile }} aws_secret_access_key ${{ steps.aws-credentials.outputs.aws-secret-access-key }}
aws configure set --profile ${{ inputs.profile }} aws_session_token ${{ steps.aws-credentials.outputs.aws-session-token }}
echo "profile=${{ inputs.profile }}" >> $GITHUB_OUTPUT
printf "::notice::\x1b[32;1mAWS Profile ${{ inputs.profile }} configured successfully\x1b[0m\n"
# We cannot unset the variables due to https://github.com/actions/runner/issues/1126, but we can set them to fake values to prevent accidental use
- name: Set AWS Environment Variables to fake values
id: unset-env-vars
if: ${{ inputs.only-profile == 'true' }}
shell: bash
run: |
echo "Setting dummy AWS Environment Variables"
echo AWS_SECRET_ACCESS_KEY="this-value-has-been-set-to-invalid-to-prevent-wrong-creds-from-being-used" >> $GITHUB_ENV
echo AWS_ACCESS_KEY_ID="this-value-has-been-set-to-invalid-to-prevent-wrong-creds-from-being-used" >> $GITHUB_ENV
echo AWS_SESSION_TOKEN="this-value-has-been-set-to-invalid-to-prevent-wrong-creds-from-being-used" >> $GITHUB_ENV
- name: Check Who Am I
id: whoami
if: ${{ inputs.whoami == 'true' }}
shell: bash
run: |
aws sts --profile ${{ inputs.profile }} get-caller-identity