Add support for masking the AWS account ID from logs

action.yml

@@ -13,6 +13,9 @@ inputs:
   aws-region:
     description: 'AWS Region, e.g. us-east-2'
     required: true
+  mask-aws-account-id:
+    description: "Whether to set the AWS account ID for these credentials as a secret value, so that it is masked in logs. Valid values are 'true' and 'false'. Defaults to true"
+    required: false
 outputs:
   aws-account-id:
     description: 'The AWS account ID for the provided credentials'

index.js

@@ -8,6 +8,7 @@ async function run() {
     const secretAccessKey = core.getInput('aws-secret-access-key', { required: true });
     const region = core.getInput('aws-region', { required: true });
     const sessionToken = core.getInput('aws-session-token', { required: false });
+    const maskAccountId = core.getInput('mask-aws-account-id', { required: false });
 
     // Configure the AWS CLI and AWS SDKs using environment variables
 
@@ -35,6 +36,9 @@ async function run() {
     const identity = await sts.getCallerIdentity().promise();
     const accountId = identity.Account;
     core.setOutput('aws-account-id', accountId);
+    if (!maskAccountId || maskAccountId.toLowerCase() == 'true') {
+      core.setSecret(accountId);
+    }
   }
   catch (error) {
     core.setFailed(error.message);

index.test.js

@@ -23,7 +23,8 @@ describe('Configure AWS Credentials', () => {
             .mockReturnValueOnce('MY-AWS-ACCESS-KEY-ID')     // aws-access-key-id
             .mockReturnValueOnce('MY-AWS-SECRET-ACCESS-KEY') // aws-secret-access-key
             .mockReturnValueOnce('us-east-2')                // aws-default-region
-            .mockReturnValueOnce('MY-AWS-SESSION-TOKEN');    // aws-session-token
+            .mockReturnValueOnce('MY-AWS-SESSION-TOKEN')     // aws-session-token
+            .mockReturnValueOnce('TRUE');                    // mask-aws-account-id
 
         mockStsCallerIdentity.mockImplementation(() => {
             return {
@@ -43,6 +44,7 @@ describe('Configure AWS Credentials', () => {
         expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', 'us-east-2');
         expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', 'us-east-2');
         expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '123456789012');
+        expect(core.setSecret).toHaveBeenCalledWith('123456789012');
     });
 
     test('session token is optional', async () => {
@@ -59,6 +61,26 @@ describe('Configure AWS Credentials', () => {
         expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', 'eu-west-1');
         expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', 'eu-west-1');
         expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '123456789012');
+        expect(core.setSecret).toHaveBeenCalledWith('123456789012');
+    });
+
+    test('can opt out of masking account ID', async () => {
+        core.getInput = jest
+            .fn()
+            .mockReturnValueOnce('MY-AWS-ACCESS-KEY-ID')     // aws-access-key-id
+            .mockReturnValueOnce('MY-AWS-SECRET-ACCESS-KEY') // aws-secret-access-key
+            .mockReturnValueOnce('us-east-1')                // aws-default-region
+            .mockReturnValueOnce('')                         // aws-session-token
+            .mockReturnValueOnce('false');                   // mask-aws-account-id
+
+        await run();
+        expect(core.exportVariable).toHaveBeenCalledTimes(4);
+        expect(core.exportVariable).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', 'MY-AWS-ACCESS-KEY-ID');
+        expect(core.exportVariable).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', 'MY-AWS-SECRET-ACCESS-KEY');
+        expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', 'us-east-1');
+        expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', 'us-east-1');
+        expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '123456789012');
+        expect(core.setSecret).toHaveBeenCalledTimes(0);
     });
 
     test('error is caught by core.setFailed', async () => {