mirror of
https://github.com/aws-actions/configure-aws-credentials.git
synced 2026-03-12 18:07:10 -04:00
feat: Have an ability to configure session name (#29)
* 1. Add 'role-session-name' variable to action.yml 2. Configure roleSessionName with role-session-name from action or default value (GitHubActions) * Add description on README.md * update README.md * update dist/index.js * add test code * update context based on comments
This commit is contained in:
Chuan-Yen Chiang
@@ -53,7 +53,8 @@ We recommend following [Amazon IAM best practices](https://docs.aws.amazon.com/I
|
||||
## Assuming a role
|
||||
If you would like to use the credentials you provide to this action to assume a role, you can do so by specifying the role ARN in `role-to-assume`.
|
||||
The role credentials will then be output instead of the ones you have provided.
|
||||
The default session duration is 6 hours, but if you would like to adjust this you can pass a duration to `role-duration-seconds`.
|
||||
The default session duration is 6 hours, but if you would like to adjust this you can pass a duration to `role-duration-seconds`.
|
||||
The default session name is GitHubActions, and you can modify it by specifying the desired name in `role-session-name`.
|
||||
|
||||
Example:
|
||||
```yaml
|
||||
@@ -65,6 +66,7 @@ Example:
|
||||
aws-region: us-east-2
|
||||
role-to-assume: arn:aws:iam::123456789100:role/role-to-assume
|
||||
role-duration-seconds: 1200
|
||||
role-session-name: MySessionName
|
||||
```
|
||||
|
||||
### Session tagging
|
||||
|
||||
@@ -25,6 +25,9 @@ inputs:
|
||||
role-duration-seconds:
|
||||
description: "Role duration in seconds (default: 6 hours)"
|
||||
required: false
|
||||
role-session-name:
|
||||
description: 'Role session name (default: GitHubActions)'
|
||||
required: false
|
||||
outputs:
|
||||
aws-account-id:
|
||||
description: 'The AWS account ID for the provided credentials'
|
||||
|
||||
12
dist/index.js
vendored
12
dist/index.js
vendored
@@ -135,15 +135,16 @@ const util = __webpack_require__(1669);
|
||||
const MAX_ACTION_RUNTIME = 6 * 3600;
|
||||
const USER_AGENT = 'configure-aws-credentials-for-github-actions';
|
||||
const MAX_TAG_VALUE_LENGTH = 256;
|
||||
const SANITIZATION_CHARACTER = '_'
|
||||
const SANITIZATION_CHARACTER = '_';
|
||||
const ROLE_SESSION_NAME = 'GitHubActions';
|
||||
|
||||
async function assumeRole(params) {
|
||||
// Assume a role to get short-lived credentials using longer-lived credentials.
|
||||
const isDefined = i => !!i;
|
||||
|
||||
const {roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, sessionToken, region} = params;
|
||||
const {roleToAssume, roleDurationSeconds, roleSessionName, accessKeyId, secretAccessKey, sessionToken, region} = params;
|
||||
assert(
|
||||
[roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, region].every(isDefined),
|
||||
[roleToAssume, roleDurationSeconds, roleSessionName, accessKeyId, secretAccessKey, region].every(isDefined),
|
||||
"Missing required input when assuming a Role."
|
||||
);
|
||||
|
||||
@@ -160,7 +161,7 @@ async function assumeRole(params) {
|
||||
});
|
||||
return sts.assumeRole({
|
||||
RoleArn: roleToAssume,
|
||||
RoleSessionName: 'GitHubActions',
|
||||
RoleSessionName: roleSessionName,
|
||||
DurationSeconds: roleDurationSeconds,
|
||||
Tags: [
|
||||
{Key: 'GitHub', Value: 'Actions'},
|
||||
@@ -248,11 +249,12 @@ async function run() {
|
||||
const maskAccountId = core.getInput('mask-aws-account-id', { required: false });
|
||||
const roleToAssume = core.getInput('role-to-assume', {required: false});
|
||||
const roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || MAX_ACTION_RUNTIME;
|
||||
const roleSessionName = core.getInput('role-session-name', { required: false }) || ROLE_SESSION_NAME;
|
||||
|
||||
// Get role credentials if configured to do so
|
||||
if (roleToAssume) {
|
||||
const roleCredentials = await assumeRole(
|
||||
{accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds}
|
||||
{accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds, roleSessionName}
|
||||
);
|
||||
exportCredentials(roleCredentials);
|
||||
} else {
|
||||
|
||||
12
index.js
12
index.js
@@ -8,15 +8,16 @@ const util = require('util');
|
||||
const MAX_ACTION_RUNTIME = 6 * 3600;
|
||||
const USER_AGENT = 'configure-aws-credentials-for-github-actions';
|
||||
const MAX_TAG_VALUE_LENGTH = 256;
|
||||
const SANITIZATION_CHARACTER = '_'
|
||||
const SANITIZATION_CHARACTER = '_';
|
||||
const ROLE_SESSION_NAME = 'GitHubActions';
|
||||
|
||||
async function assumeRole(params) {
|
||||
// Assume a role to get short-lived credentials using longer-lived credentials.
|
||||
const isDefined = i => !!i;
|
||||
|
||||
const {roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, sessionToken, region} = params;
|
||||
const {roleToAssume, roleDurationSeconds, roleSessionName, accessKeyId, secretAccessKey, sessionToken, region} = params;
|
||||
assert(
|
||||
[roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, region].every(isDefined),
|
||||
[roleToAssume, roleDurationSeconds, roleSessionName, accessKeyId, secretAccessKey, region].every(isDefined),
|
||||
"Missing required input when assuming a Role."
|
||||
);
|
||||
|
||||
@@ -33,7 +34,7 @@ async function assumeRole(params) {
|
||||
});
|
||||
return sts.assumeRole({
|
||||
RoleArn: roleToAssume,
|
||||
RoleSessionName: 'GitHubActions',
|
||||
RoleSessionName: roleSessionName,
|
||||
DurationSeconds: roleDurationSeconds,
|
||||
Tags: [
|
||||
{Key: 'GitHub', Value: 'Actions'},
|
||||
@@ -121,11 +122,12 @@ async function run() {
|
||||
const maskAccountId = core.getInput('mask-aws-account-id', { required: false });
|
||||
const roleToAssume = core.getInput('role-to-assume', {required: false});
|
||||
const roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || MAX_ACTION_RUNTIME;
|
||||
const roleSessionName = core.getInput('role-session-name', { required: false }) || ROLE_SESSION_NAME;
|
||||
|
||||
// Get role credentials if configured to do so
|
||||
if (roleToAssume) {
|
||||
const roleCredentials = await assumeRole(
|
||||
{accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds}
|
||||
{accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds, roleSessionName}
|
||||
);
|
||||
exportCredentials(roleCredentials);
|
||||
} else {
|
||||
|
||||
@@ -238,6 +238,28 @@ describe('Configure AWS Credentials', () => {
|
||||
})
|
||||
});
|
||||
|
||||
test('role assumption session name provided', async () => {
|
||||
core.getInput = jest
|
||||
.fn()
|
||||
.mockImplementation(mockGetInput({...ASSUME_ROLE_INPUTS, 'role-session-name': 'MySessionName'}));
|
||||
|
||||
await run();
|
||||
expect(mockStsAssumeRole).toHaveBeenCalledWith({
|
||||
RoleArn: ROLE_NAME,
|
||||
RoleSessionName: 'MySessionName',
|
||||
DurationSeconds: 6 * 3600,
|
||||
Tags: [
|
||||
{Key: 'GitHub', Value: 'Actions'},
|
||||
{Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY},
|
||||
{Key: 'Workflow', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_WORKFLOW},
|
||||
{Key: 'Action', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_ACTION},
|
||||
{Key: 'Actor', Value: GITHUB_ACTOR_SANITIZED},
|
||||
{Key: 'Branch', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REF},
|
||||
{Key: 'Commit', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_SHA},
|
||||
]
|
||||
})
|
||||
});
|
||||
|
||||
test('workflow name sanitized in role assumption tags', async () => {
|
||||
core.getInput = jest
|
||||
.fn()
|
||||
|
||||
Reference in New Issue
Block a user