feat: Allow audience to be explicitly specified

The default audience for the GitHub OIDC uses sts.amazonaws.com, but there are situations when it would be desirable to allow different audience names to be used instead. Allow this to be specified as an argument to the action.
2026-03-12 18:07:10 -04:00 · 2021-10-09 09:13:53 +01:00
parent f350a92ff6
commit 2f8dfd0ed4
3 changed files with 9 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -98,6 +98,7 @@ The following table describes which identity is used based on which values are s
    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
+        audience: sts.amazonaws.com
        aws-region: us-east-2
        role-to-assume: arn:aws:iam::123456789100:role/my-github-actions-role
        role-session-name: MySessionName
@@ -108,6 +109,7 @@ In this example, the Action will load the OIDC token from the GitHub-provided en
    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
+        audience: sts.amazonaws.com
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-2
--- a/action.yml
+++ b/action.yml
@@ -4,6 +4,10 @@ branding:
  icon: 'cloud'
  color: 'orange'
 inputs:
+  audience:
+    default: 'sts.amazonaws.com'
+    description: 'The audience to use for the OIDC provider'
+    required: false
  aws-access-key-id:
    description: >-
      AWS Access Key ID. This input is required if running in the GitHub hosted environment.
--- a/index.js
+++ b/index.js
@@ -19,6 +19,7 @@ async function assumeRole(params) {
  const isDefined = i => !!i;

  const {
+    audience,
    sourceAccountId,
    roleToAssume,
    roleExternalId,
@@ -263,6 +264,7 @@ async function run() {
  try {
    // Get inputs
    const accessKeyId = core.getInput('aws-access-key-id', { required: false });
+    const audience = core.getInput('audience', { required: false });
    const secretAccessKey = core.getInput('aws-secret-access-key', { required: false });
    const region = core.getInput('aws-region', { required: true });
    const sessionToken = core.getInput('aws-session-token', { required: false });
@@ -310,7 +312,7 @@ async function run() {
    let sourceAccountId;
    let webIdentityToken;
    if(useGitHubOIDCProvider()) {
-      webIdentityToken = await core.getIDToken('sts.amazonaws.com');
+      webIdentityToken = await core.getIDToken(audience);
      roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || DEFAULT_ROLE_DURATION_FOR_OIDC_ROLES;
      // We don't validate the credentials here because we don't have them yet when using OIDC.
    } else {