aws-actions/configure-aws-credentials
1
0
Fork 0
mirror of https://github.com/aws-actions/configure-aws-credentials.git synced 2026-03-15 09:20:58 -04:00
Code Issues Packages Projects Releases Wiki Activity

feat: infer role ARN if given role name (#35)

Browse Source
This commit is contained in:
Clare Liguori
2020-03-04 14:24:55 -08:00
committed by GitHub
parent 47312577c9
commit 96c6f7e07b
2 changed files with 38 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
index.js
View File

@@ -42,8 +42,16 @@ async function assumeRole(params) {
accessKeyId, secretAccessKey, sessionToken, region, endpoint, customUserAgent: USER_AGENT accessKeyId, secretAccessKey, sessionToken, region, endpoint, customUserAgent: USER_AGENT
}); });
let roleArn = roleToAssume;
if (!roleArn.startsWith('arn:aws')) {
const identity = await sts.getCallerIdentity().promise();
const accountId = identity.Account;
// Supports only 'aws' partition. Customers in other partitions ('aws-cn') will need to provide full ARN
roleArn = `arn:aws:iam::${accountId}:role/${roleArn}`;
}
const assumeRoleRequest = { const assumeRoleRequest = {
RoleArn: roleToAssume, RoleArn: roleArn,
RoleSessionName: roleSessionName, RoleSessionName: roleSessionName,
DurationSeconds: roleDurationSeconds, DurationSeconds: roleDurationSeconds,
Tags: [ Tags: [

35
index.test.js
View File

@@ -14,6 +14,7 @@ const FAKE_STS_SESSION_TOKEN = 'STS-AWS-SESSION-TOKEN';
const FAKE_REGION = 'fake-region-1'; const FAKE_REGION = 'fake-region-1';
const FAKE_ACCOUNT_ID = '123456789012'; const FAKE_ACCOUNT_ID = '123456789012';
const ROLE_NAME = 'MY-ROLE'; const ROLE_NAME = 'MY-ROLE';
const ROLE_ARN = 'arn:aws:iam::123456789012:role/MY-ROLE';
const ENVIRONMENT_VARIABLE_OVERRIDES = { const ENVIRONMENT_VARIABLE_OVERRIDES = {
SHOW_STACK_TRACE: 'true', SHOW_STACK_TRACE: 'true',
GITHUB_REPOSITORY: 'MY-REPOSITORY-NAME', GITHUB_REPOSITORY: 'MY-REPOSITORY-NAME',
@@ -40,7 +41,7 @@ const DEFAULT_INPUTS = {
'aws-region': FAKE_REGION, 'aws-region': FAKE_REGION,
'mask-aws-account-id': 'TRUE' 'mask-aws-account-id': 'TRUE'
}; };
const ASSUME_ROLE_INPUTS = {...REQUIRED_INPUTS, 'role-to-assume': ROLE_NAME, 'aws-region': FAKE_REGION}; const ASSUME_ROLE_INPUTS = {...REQUIRED_INPUTS, 'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION};
const mockStsCallerIdentity = jest.fn(); const mockStsCallerIdentity = jest.fn();
const mockStsAssumeRole = jest.fn(); const mockStsAssumeRole = jest.fn();
@@ -201,7 +202,7 @@ describe('Configure AWS Credentials', () => {
await run(); await run();
expect(mockStsAssumeRole).toHaveBeenCalledWith({ expect(mockStsAssumeRole).toHaveBeenCalledWith({
RoleArn: ROLE_NAME, RoleArn: ROLE_ARN,
RoleSessionName: 'GitHubActions', RoleSessionName: 'GitHubActions',
DurationSeconds: 6 * 3600, DurationSeconds: 6 * 3600,
Tags: [ Tags: [
@@ -223,7 +224,7 @@ describe('Configure AWS Credentials', () => {
await run(); await run();
expect(mockStsAssumeRole).toHaveBeenCalledWith({ expect(mockStsAssumeRole).toHaveBeenCalledWith({
RoleArn: ROLE_NAME, RoleArn: ROLE_ARN,
RoleSessionName: 'GitHubActions', RoleSessionName: 'GitHubActions',
DurationSeconds: 5, DurationSeconds: 5,
Tags: [ Tags: [
@@ -245,7 +246,7 @@ describe('Configure AWS Credentials', () => {
await run(); await run();
expect(mockStsAssumeRole).toHaveBeenCalledWith({ expect(mockStsAssumeRole).toHaveBeenCalledWith({
RoleArn: ROLE_NAME, RoleArn: ROLE_ARN,
RoleSessionName: 'MySessionName', RoleSessionName: 'MySessionName',
DurationSeconds: 6 * 3600, DurationSeconds: 6 * 3600,
Tags: [ Tags: [
@@ -260,6 +261,28 @@ describe('Configure AWS Credentials', () => {
}) })
}); });
test('role name provided instead of ARN', async () => {
core.getInput = jest
.fn()
.mockImplementation(mockGetInput({...REQUIRED_INPUTS, 'role-to-assume': ROLE_NAME, 'aws-region': FAKE_REGION}));
await run();
expect(mockStsAssumeRole).toHaveBeenCalledWith({
RoleArn: ROLE_ARN,
RoleSessionName: 'GitHubActions',
DurationSeconds: 6 * 3600,
Tags: [
{Key: 'GitHub', Value: 'Actions'},
{Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY},
{Key: 'Workflow', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_WORKFLOW},
{Key: 'Action', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_ACTION},
{Key: 'Actor', Value: GITHUB_ACTOR_SANITIZED},
{Key: 'Branch', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REF},
{Key: 'Commit', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_SHA},
]
})
});
test('role external ID provided', async () => { test('role external ID provided', async () => {
core.getInput = jest core.getInput = jest
.fn() .fn()
@@ -267,7 +290,7 @@ describe('Configure AWS Credentials', () => {
await run(); await run();
expect(mockStsAssumeRole).toHaveBeenCalledWith({ expect(mockStsAssumeRole).toHaveBeenCalledWith({
RoleArn: ROLE_NAME, RoleArn: ROLE_ARN,
RoleSessionName: 'GitHubActions', RoleSessionName: 'GitHubActions',
DurationSeconds: 6 * 3600, DurationSeconds: 6 * 3600,
Tags: [ Tags: [
@@ -294,7 +317,7 @@ describe('Configure AWS Credentials', () => {
await run(); await run();
expect(mockStsAssumeRole).toHaveBeenCalledWith({ expect(mockStsAssumeRole).toHaveBeenCalledWith({
RoleArn: ROLE_NAME, RoleArn: ROLE_ARN,
RoleSessionName: 'GitHubActions', RoleSessionName: 'GitHubActions',
DurationSeconds: 6 * 3600, DurationSeconds: 6 * 3600,
Tags: [ Tags: [