diff --git a/action.yml b/action.yml index a6c63ff..205a11e 100644 --- a/action.yml +++ b/action.yml @@ -13,6 +13,9 @@ inputs: aws-region: description: 'AWS Region, e.g. us-east-2' required: true + mask-aws-account-id: + description: "Whether to set the AWS account ID for these credentials as a secret value, so that it is masked in logs. Valid values are 'true' and 'false'. Defaults to true" + required: false outputs: aws-account-id: description: 'The AWS account ID for the provided credentials' diff --git a/index.js b/index.js index 8a9b871..48e0165 100644 --- a/index.js +++ b/index.js @@ -8,6 +8,7 @@ async function run() { const secretAccessKey = core.getInput('aws-secret-access-key', { required: true }); const region = core.getInput('aws-region', { required: true }); const sessionToken = core.getInput('aws-session-token', { required: false }); + const maskAccountId = core.getInput('mask-aws-account-id', { required: false }); // Configure the AWS CLI and AWS SDKs using environment variables @@ -35,6 +36,9 @@ async function run() { const identity = await sts.getCallerIdentity().promise(); const accountId = identity.Account; core.setOutput('aws-account-id', accountId); + if (!maskAccountId || maskAccountId.toLowerCase() == 'true') { + core.setSecret(accountId); + } } catch (error) { core.setFailed(error.message); diff --git a/index.test.js b/index.test.js index 1dac19e..1a12c65 100644 --- a/index.test.js +++ b/index.test.js @@ -23,7 +23,8 @@ describe('Configure AWS Credentials', () => { .mockReturnValueOnce('MY-AWS-ACCESS-KEY-ID') // aws-access-key-id .mockReturnValueOnce('MY-AWS-SECRET-ACCESS-KEY') // aws-secret-access-key .mockReturnValueOnce('us-east-2') // aws-default-region - .mockReturnValueOnce('MY-AWS-SESSION-TOKEN'); // aws-session-token + .mockReturnValueOnce('MY-AWS-SESSION-TOKEN') // aws-session-token + .mockReturnValueOnce('TRUE'); // mask-aws-account-id mockStsCallerIdentity.mockImplementation(() => { return { @@ -43,6 +44,7 @@ describe('Configure AWS Credentials', () => { expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', 'us-east-2'); expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', 'us-east-2'); expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '123456789012'); + expect(core.setSecret).toHaveBeenCalledWith('123456789012'); }); test('session token is optional', async () => { @@ -59,6 +61,26 @@ describe('Configure AWS Credentials', () => { expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', 'eu-west-1'); expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', 'eu-west-1'); expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '123456789012'); + expect(core.setSecret).toHaveBeenCalledWith('123456789012'); + }); + + test('can opt out of masking account ID', async () => { + core.getInput = jest + .fn() + .mockReturnValueOnce('MY-AWS-ACCESS-KEY-ID') // aws-access-key-id + .mockReturnValueOnce('MY-AWS-SECRET-ACCESS-KEY') // aws-secret-access-key + .mockReturnValueOnce('us-east-1') // aws-default-region + .mockReturnValueOnce('') // aws-session-token + .mockReturnValueOnce('false'); // mask-aws-account-id + + await run(); + expect(core.exportVariable).toHaveBeenCalledTimes(4); + expect(core.exportVariable).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', 'MY-AWS-ACCESS-KEY-ID'); + expect(core.exportVariable).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', 'MY-AWS-SECRET-ACCESS-KEY'); + expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', 'us-east-1'); + expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', 'us-east-1'); + expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '123456789012'); + expect(core.setSecret).toHaveBeenCalledTimes(0); }); test('error is caught by core.setFailed', async () => {