fix: validation logic throwing unwanted errors (#818)

* fix: throws error even when valid credentials are present * fix: throws error when invalid credentials are present despite not wanting to use them
2026-03-12 18:07:10 -04:00 · 2023-09-05 14:19:05 -07:00
parent 6c962b9fd3
commit d78f55b1db
4 changed files with 42 additions and 16 deletions
--- a/.github/workflows/tests-integ.yml
+++ b/.github/workflows/tests-integ.yml
@@ -1,4 +1,4 @@
-name: Run tests
+name: Run Integ tests

 on:
  workflow_dispatch:
@@ -27,6 +27,33 @@ jobs:
          role-duration-seconds: 900
          role-session-name: IntegOidcAssumeRole
          role-external-id: ${{ secrets.SECRETS_OIDC_AWS_ROLE_EXTERNAL_ID }}
+  integ-oidc-env:
+    permissions:
+      contents: read
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [[self-hosted, linux-fargate], windows-latest, ubuntu-latest, macos-latest]
+        node: [14, 16, 18]
+    name: Run OIDC integ tests with existing invalid env vars
+    runs-on: ${{ matrix.os }}
+    env:
+      AWS_ACCESS_KEY_ID: dummyaccesskeyid
+      AWS_SECRET_ACCESS_KEY: dummysecretkey
+      AWS_SESSION_TOKEN: dummytoken
+    timeout-minutes: 30
+    steps:
+      - name: "Checkout repository"
+        uses: actions/checkout@v3
+      - name: Integ test for OIDC
+        uses: ./
+        with:
+          aws-region: us-west-2
+          role-to-assume: ${{ secrets.SECRETS_OIDC_AWS_ROLE_TO_ASSUME }}
+          role-duration-seconds: 900
+          role-session-name: IntegOidcAssumeRole
+          role-external-id: ${{ secrets.SECRETS_OIDC_AWS_ROLE_EXTERNAL_ID }}
  integ-access-keys:
    strategy:
      fail-fast: false
--- a/dist/index.js
+++ b/dist/index.js
@@ -520,12 +520,12 @@ async function run() {
            // in any error messages.
            (0, helpers_1.exportCredentials)({ AccessKeyId, SecretAccessKey, SessionToken });
        }
-        else if (!webIdentityTokenFile &&
-            !roleChaining &&
-            !(process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) {
-            throw new Error('Could not determine how to assume credentials. Please check your inputs and try again.');
+        else if (!webIdentityTokenFile && !roleChaining) {
+            // Proceed only if credentials can be picked up
+            await credentialsClient.validateCredentials();
+            sourceAccountId = await (0, helpers_1.exportAccountId)(credentialsClient, maskAccountId);
        }
-        if (AccessKeyId || roleChaining || (process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) {
+        if (AccessKeyId || roleChaining) {
            // Validate that the SDK can actually pick up credentials.
            // This validates cases where this action is using existing environment credentials,
            // and cases where the user intended to provide input credentials but the secrets inputs resolved to empty strings.
--- a/src/index.ts
+++ b/src/index.ts
@@ -128,15 +128,13 @@ export async function run() {
      // the source credentials to already be masked as secrets
      // in any error messages.
      exportCredentials({ AccessKeyId, SecretAccessKey, SessionToken });
-    } else if (
-      !webIdentityTokenFile &&
-      !roleChaining &&
-      !(process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])
-    ) {
-      throw new Error('Could not determine how to assume credentials. Please check your inputs and try again.');
+    } else if (!webIdentityTokenFile && !roleChaining) {
+      // Proceed only if credentials can be picked up
+      await credentialsClient.validateCredentials();
+      sourceAccountId = await exportAccountId(credentialsClient, maskAccountId);
    }

-    if (AccessKeyId || roleChaining || (process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) {
+    if (AccessKeyId || roleChaining) {
      // Validate that the SDK can actually pick up credentials.
      // This validates cases where this action is using existing environment credentials,
      // and cases where the user intended to provide input credentials but the secrets inputs resolved to empty strings.
--- a/test/index.test.ts
+++ b/test/index.test.ts
@@ -202,7 +202,7 @@ describe('Configure AWS Credentials', () => {
    await run();

    expect(core.setFailed).toHaveBeenCalledWith(
-      'Could not determine how to assume credentials. Please check your inputs and try again.'
+      'Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers'
    );
  });

@@ -217,7 +217,7 @@ describe('Configure AWS Credentials', () => {
    await run();

    expect(core.setFailed).toHaveBeenCalledWith(
-      'Could not determine how to assume credentials. Please check your inputs and try again.'
+      'Credentials could not be loaded, please check your action inputs: Access key ID empty after loading credentials'
    );
  });

@@ -508,6 +508,7 @@ describe('Configure AWS Credentials', () => {
  });

  test('GH OIDC check fails if token is not set', async () => {
+    (fromEnv as jest.Mock).mockReset();
    process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = undefined;
    process.env['GITHUB_ACTIONS'] = 'true';
    jest.spyOn(core, 'getInput').mockImplementation(
@@ -524,7 +525,7 @@ describe('Configure AWS Credentials', () => {
        ' If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.'
    );
    expect(core.setFailed).toHaveBeenCalledWith(
-      'Could not determine how to assume credentials. Please check your inputs and try again.'
+      'Credentials could not be loaded, please check your action inputs: provider is not a function'
    );
  });