mirror of
https://github.com/aws-actions/configure-aws-credentials.git
synced 2026-03-12 18:07:10 -04:00
feat: Have an ability to configure session name (#29)
* 1. Add 'role-session-name' variable to action.yml 2. Configure roleSessionName with role-session-name from action or default value (GitHubActions) * Add description on README.md * update README.md * update dist/index.js * add test code * update context based on comments
This commit is contained in:
Chuan-Yen Chiang
@@ -53,7 +53,8 @@ We recommend following [Amazon IAM best practices](https://docs.aws.amazon.com/I
|
|||||||
## Assuming a role
|
## Assuming a role
|
||||||
If you would like to use the credentials you provide to this action to assume a role, you can do so by specifying the role ARN in `role-to-assume`.
|
If you would like to use the credentials you provide to this action to assume a role, you can do so by specifying the role ARN in `role-to-assume`.
|
||||||
The role credentials will then be output instead of the ones you have provided.
|
The role credentials will then be output instead of the ones you have provided.
|
||||||
The default session duration is 6 hours, but if you would like to adjust this you can pass a duration to `role-duration-seconds`.
|
The default session duration is 6 hours, but if you would like to adjust this you can pass a duration to `role-duration-seconds`.
|
||||||
|
The default session name is GitHubActions, and you can modify it by specifying the desired name in `role-session-name`.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
```yaml
|
```yaml
|
||||||
@@ -65,6 +66,7 @@ Example:
|
|||||||
aws-region: us-east-2
|
aws-region: us-east-2
|
||||||
role-to-assume: arn:aws:iam::123456789100:role/role-to-assume
|
role-to-assume: arn:aws:iam::123456789100:role/role-to-assume
|
||||||
role-duration-seconds: 1200
|
role-duration-seconds: 1200
|
||||||
|
role-session-name: MySessionName
|
||||||
```
|
```
|
||||||
|
|
||||||
### Session tagging
|
### Session tagging
|
||||||
|
|||||||
@@ -25,6 +25,9 @@ inputs:
|
|||||||
role-duration-seconds:
|
role-duration-seconds:
|
||||||
description: "Role duration in seconds (default: 6 hours)"
|
description: "Role duration in seconds (default: 6 hours)"
|
||||||
required: false
|
required: false
|
||||||
|
role-session-name:
|
||||||
|
description: 'Role session name (default: GitHubActions)'
|
||||||
|
required: false
|
||||||
outputs:
|
outputs:
|
||||||
aws-account-id:
|
aws-account-id:
|
||||||
description: 'The AWS account ID for the provided credentials'
|
description: 'The AWS account ID for the provided credentials'
|
||||||
|
|||||||
12
dist/index.js
vendored
12
dist/index.js
vendored
@@ -135,15 +135,16 @@ const util = __webpack_require__(1669);
|
|||||||
const MAX_ACTION_RUNTIME = 6 * 3600;
|
const MAX_ACTION_RUNTIME = 6 * 3600;
|
||||||
const USER_AGENT = 'configure-aws-credentials-for-github-actions';
|
const USER_AGENT = 'configure-aws-credentials-for-github-actions';
|
||||||
const MAX_TAG_VALUE_LENGTH = 256;
|
const MAX_TAG_VALUE_LENGTH = 256;
|
||||||
const SANITIZATION_CHARACTER = '_'
|
const SANITIZATION_CHARACTER = '_';
|
||||||
|
const ROLE_SESSION_NAME = 'GitHubActions';
|
||||||
|
|
||||||
async function assumeRole(params) {
|
async function assumeRole(params) {
|
||||||
// Assume a role to get short-lived credentials using longer-lived credentials.
|
// Assume a role to get short-lived credentials using longer-lived credentials.
|
||||||
const isDefined = i => !!i;
|
const isDefined = i => !!i;
|
||||||
|
|
||||||
const {roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, sessionToken, region} = params;
|
const {roleToAssume, roleDurationSeconds, roleSessionName, accessKeyId, secretAccessKey, sessionToken, region} = params;
|
||||||
assert(
|
assert(
|
||||||
[roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, region].every(isDefined),
|
[roleToAssume, roleDurationSeconds, roleSessionName, accessKeyId, secretAccessKey, region].every(isDefined),
|
||||||
"Missing required input when assuming a Role."
|
"Missing required input when assuming a Role."
|
||||||
);
|
);
|
||||||
|
|
||||||
@@ -160,7 +161,7 @@ async function assumeRole(params) {
|
|||||||
});
|
});
|
||||||
return sts.assumeRole({
|
return sts.assumeRole({
|
||||||
RoleArn: roleToAssume,
|
RoleArn: roleToAssume,
|
||||||
RoleSessionName: 'GitHubActions',
|
RoleSessionName: roleSessionName,
|
||||||
DurationSeconds: roleDurationSeconds,
|
DurationSeconds: roleDurationSeconds,
|
||||||
Tags: [
|
Tags: [
|
||||||
{Key: 'GitHub', Value: 'Actions'},
|
{Key: 'GitHub', Value: 'Actions'},
|
||||||
@@ -248,11 +249,12 @@ async function run() {
|
|||||||
const maskAccountId = core.getInput('mask-aws-account-id', { required: false });
|
const maskAccountId = core.getInput('mask-aws-account-id', { required: false });
|
||||||
const roleToAssume = core.getInput('role-to-assume', {required: false});
|
const roleToAssume = core.getInput('role-to-assume', {required: false});
|
||||||
const roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || MAX_ACTION_RUNTIME;
|
const roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || MAX_ACTION_RUNTIME;
|
||||||
|
const roleSessionName = core.getInput('role-session-name', { required: false }) || ROLE_SESSION_NAME;
|
||||||
|
|
||||||
// Get role credentials if configured to do so
|
// Get role credentials if configured to do so
|
||||||
if (roleToAssume) {
|
if (roleToAssume) {
|
||||||
const roleCredentials = await assumeRole(
|
const roleCredentials = await assumeRole(
|
||||||
{accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds}
|
{accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds, roleSessionName}
|
||||||
);
|
);
|
||||||
exportCredentials(roleCredentials);
|
exportCredentials(roleCredentials);
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
12
index.js
12
index.js
@@ -8,15 +8,16 @@ const util = require('util');
|
|||||||
const MAX_ACTION_RUNTIME = 6 * 3600;
|
const MAX_ACTION_RUNTIME = 6 * 3600;
|
||||||
const USER_AGENT = 'configure-aws-credentials-for-github-actions';
|
const USER_AGENT = 'configure-aws-credentials-for-github-actions';
|
||||||
const MAX_TAG_VALUE_LENGTH = 256;
|
const MAX_TAG_VALUE_LENGTH = 256;
|
||||||
const SANITIZATION_CHARACTER = '_'
|
const SANITIZATION_CHARACTER = '_';
|
||||||
|
const ROLE_SESSION_NAME = 'GitHubActions';
|
||||||
|
|
||||||
async function assumeRole(params) {
|
async function assumeRole(params) {
|
||||||
// Assume a role to get short-lived credentials using longer-lived credentials.
|
// Assume a role to get short-lived credentials using longer-lived credentials.
|
||||||
const isDefined = i => !!i;
|
const isDefined = i => !!i;
|
||||||
|
|
||||||
const {roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, sessionToken, region} = params;
|
const {roleToAssume, roleDurationSeconds, roleSessionName, accessKeyId, secretAccessKey, sessionToken, region} = params;
|
||||||
assert(
|
assert(
|
||||||
[roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, region].every(isDefined),
|
[roleToAssume, roleDurationSeconds, roleSessionName, accessKeyId, secretAccessKey, region].every(isDefined),
|
||||||
"Missing required input when assuming a Role."
|
"Missing required input when assuming a Role."
|
||||||
);
|
);
|
||||||
|
|
||||||
@@ -33,7 +34,7 @@ async function assumeRole(params) {
|
|||||||
});
|
});
|
||||||
return sts.assumeRole({
|
return sts.assumeRole({
|
||||||
RoleArn: roleToAssume,
|
RoleArn: roleToAssume,
|
||||||
RoleSessionName: 'GitHubActions',
|
RoleSessionName: roleSessionName,
|
||||||
DurationSeconds: roleDurationSeconds,
|
DurationSeconds: roleDurationSeconds,
|
||||||
Tags: [
|
Tags: [
|
||||||
{Key: 'GitHub', Value: 'Actions'},
|
{Key: 'GitHub', Value: 'Actions'},
|
||||||
@@ -121,11 +122,12 @@ async function run() {
|
|||||||
const maskAccountId = core.getInput('mask-aws-account-id', { required: false });
|
const maskAccountId = core.getInput('mask-aws-account-id', { required: false });
|
||||||
const roleToAssume = core.getInput('role-to-assume', {required: false});
|
const roleToAssume = core.getInput('role-to-assume', {required: false});
|
||||||
const roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || MAX_ACTION_RUNTIME;
|
const roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || MAX_ACTION_RUNTIME;
|
||||||
|
const roleSessionName = core.getInput('role-session-name', { required: false }) || ROLE_SESSION_NAME;
|
||||||
|
|
||||||
// Get role credentials if configured to do so
|
// Get role credentials if configured to do so
|
||||||
if (roleToAssume) {
|
if (roleToAssume) {
|
||||||
const roleCredentials = await assumeRole(
|
const roleCredentials = await assumeRole(
|
||||||
{accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds}
|
{accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds, roleSessionName}
|
||||||
);
|
);
|
||||||
exportCredentials(roleCredentials);
|
exportCredentials(roleCredentials);
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
@@ -238,6 +238,28 @@ describe('Configure AWS Credentials', () => {
|
|||||||
})
|
})
|
||||||
});
|
});
|
||||||
|
|
||||||
|
test('role assumption session name provided', async () => {
|
||||||
|
core.getInput = jest
|
||||||
|
.fn()
|
||||||
|
.mockImplementation(mockGetInput({...ASSUME_ROLE_INPUTS, 'role-session-name': 'MySessionName'}));
|
||||||
|
|
||||||
|
await run();
|
||||||
|
expect(mockStsAssumeRole).toHaveBeenCalledWith({
|
||||||
|
RoleArn: ROLE_NAME,
|
||||||
|
RoleSessionName: 'MySessionName',
|
||||||
|
DurationSeconds: 6 * 3600,
|
||||||
|
Tags: [
|
||||||
|
{Key: 'GitHub', Value: 'Actions'},
|
||||||
|
{Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY},
|
||||||
|
{Key: 'Workflow', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_WORKFLOW},
|
||||||
|
{Key: 'Action', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_ACTION},
|
||||||
|
{Key: 'Actor', Value: GITHUB_ACTOR_SANITIZED},
|
||||||
|
{Key: 'Branch', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REF},
|
||||||
|
{Key: 'Commit', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_SHA},
|
||||||
|
]
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
test('workflow name sanitized in role assumption tags', async () => {
|
test('workflow name sanitized in role assumption tags', async () => {
|
||||||
core.getInput = jest
|
core.getInput = jest
|
||||||
.fn()
|
.fn()
|
||||||
|
|||||||
Reference in New Issue
Block a user