From ec8e00227617b81fb26fb92ba7fcfe28c5f1ee23 Mon Sep 17 00:00:00 2001 From: Michael Lehmann Date: Fri, 29 Aug 2025 16:34:59 -0700 Subject: [PATCH] chore: add pre-release integ tests (#1457) * add pre-release integ tests * chore: remove unnecessary sudo and reorganize test files --- .github/integ_tests/fetch-token.js | 12 ++ .github/integ_tests/tinyproxy.conf | 6 + .github/workflows/tests-integ-release.yml | 193 ++++++++++++++++++++++ 3 files changed, 211 insertions(+) create mode 100644 .github/integ_tests/fetch-token.js create mode 100644 .github/integ_tests/tinyproxy.conf create mode 100644 .github/workflows/tests-integ-release.yml diff --git a/.github/integ_tests/fetch-token.js b/.github/integ_tests/fetch-token.js new file mode 100644 index 0000000..821ff53 --- /dev/null +++ b/.github/integ_tests/fetch-token.js @@ -0,0 +1,12 @@ +import core from "@actions/core"; +import fs from "fs/promises"; + +async function getIDTokenAction() { + const id_token = await core.getIDToken("sts.amazonaws.com"); + return id_token; +} +let idToken = await getIDTokenAction(); + +await fs.writeFile(".github/integ_tests/integ_token.txt", idToken, (err) => { + if (err) throw err; +}); diff --git a/.github/integ_tests/tinyproxy.conf b/.github/integ_tests/tinyproxy.conf new file mode 100644 index 0000000..345834d --- /dev/null +++ b/.github/integ_tests/tinyproxy.conf @@ -0,0 +1,6 @@ +Port 9999 +Listen 127.0.0.1 +Timeout 600 +Allow 127.0.0.1 +LogFile "/home/runner/work/configure-aws-credentials/configure-aws-credentials/integ_proxy_log.txt" +LogLevel Connect diff --git a/.github/workflows/tests-integ-release.yml b/.github/workflows/tests-integ-release.yml new file mode 100644 index 0000000..1effe7b --- /dev/null +++ b/.github/workflows/tests-integ-release.yml @@ -0,0 +1,193 @@ +name: Run pre-release integ tests +on: + pull_request_target: +permissions: + contents: read + +jobs: + oidc: + if: ${{ github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials' }} + permissions: + id-token: write + strategy: + fail-fast: false + matrix: + os: [windows-latest, ubuntu-latest, macos-latest] + runs-on: ${{ matrix.os }} + name: OIDC login test + steps: + - name: checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + persist-credentials: false + - name: Configure AWS credentials + uses: ./ + with: + aws-region: us-west-2 + role-to-assume: ${{ secrets.OIDC_integ_role }} + - name: Get Caller Identity + run: | + aws sts get-caller-identity + + #can cut this test out if it's not necessary + static_assumeRole: + if: ${{ github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials' }} + strategy: + fail-fast: false + matrix: + os: [windows-latest, ubuntu-latest, macos-latest] + runs-on: ${{ matrix.os }} + name: Static IAM creds test + steps: + - name: checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + persist-credentials: false + - name: Configure AWS credentials + uses: ./ + with: + aws-region: us-west-2 + aws-access-key-id: ${{ secrets.STATIC_ak_id }} + aws-secret-access-key: ${{ secrets.STATIC_secret_ak }} + role-to-assume: ${{ secrets.STATIC_role }} + - name: Get Caller Identity + run: | + aws sts get-caller-identity + + role_chaining: + if: ${{ github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials' }} + permissions: + id-token: write + strategy: + fail-fast: false + matrix: + os: [windows-latest, ubuntu-latest, macos-latest] + runs-on: ${{ matrix.os }} + name: Existing Creds + Role Chaining test + steps: + - name: checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + persist-credentials: false + - name: Configure AWS credentials + uses: ./ + with: + aws-region: us-west-2 + role-to-assume: ${{ secrets.ROLE_chaining_1 }} + - name: Get Caller Identity + run: | + aws sts get-caller-identity + - name: assume second role + uses: ./ + with: + aws-region: us-west-2 + role-to-assume: ${{ secrets.ROLE_chaining_2 }} + role-chaining: true + - name: get caller identity + run: | + aws sts get-caller-identity + + inline_policy: + if: ${{ github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials' }} + permissions: + id-token: write + strategy: + fail-fast: false + matrix: + os: [windows-latest, ubuntu-latest, macos-latest] + runs-on: ${{ matrix.os }} + name: Inline Policy Test + steps: + - name: checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + persist-credentials: false + - name: get creds w scoped down policy + uses: ./ + with: + aws-region: us-west-2 + role-to-assume: ${{ secrets.INLINE_policy_role }} + inline-session-policy: '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"}]}' + + #NOTE: This step should succeed. The role should have permission only to list all buckets. + - name: list buckets + run: | + aws s3 ls + + #NOTE: This step should fail. we don't want the role to have permission to see the bucket contents. + - name: try to list bucket contents + id: bucketContentsStep + continue-on-error: true + run: | + aws s3 ls s3://cawsc-integ-tests-bucket + + #But the test fails if we could list the bucket contents. + - name: fail if we can list bucket contents + if: steps.bucketContentsStep.outcome == 'success' + run: exit 1 + + http-proxy: + if: ${{ github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials' }} + permissions: + id-token: write + runs-on: ubuntu-latest + name: HTTP Proxy Test + steps: + - name: checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + persist-credentials: false + - name: install tinyproxy + run: | + sudo apt-get update + sudo apt-get -y install tinyproxy + - name: start tinyproxy + run: tinyproxy -c .github/integ_tests/tinyproxy.conf + - name: Configure AWS credentials + continue-on-error: true + uses: ./ + with: + aws-region: us-west-2 + role-to-assume: ${{ secrets.OIDC_integ_role }} + http-proxy: http://127.0.0.1:9999 + retry-max-attempts: 4 + - name: checkout logs + run: cat integ_proxy_log.txt + - name: check logs to see if successful call + run: grep -q "Request" integ_proxy_log.txt && echo "PROXY_CALL_LOGGED=1" >> $GITHUB_ENV || echo "PROXY_CALL_LOGGED=0" >> $GITHUB_ENV + - name: fail job if bad call + if: ${{ env.PROXY_CALL_LOGGED != 1 }} + run: exit 1 + + token-file: + if: ${{ github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials' }} + permissions: + id-token: write + strategy: + fail-fast: false + matrix: + os: [windows-latest, ubuntu-latest, macos-latest] + runs-on: ${{ matrix.os }} + name: Token File Test + steps: + - name: checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + persist-credentials: false + - name: fetch token and write to file + run: node .github/integ_tests/fetch-token.js + - name: get creds with that file + uses: ./ + with: + aws-region: us-west-2 + role-to-assume: ${{ secrets.OIDC_integ_role }} + web-identity-token-file: .github/integ_tests/integ_token.txt + retry-max-attempts: 4 + - name: check creds + run: aws sts get-caller-identity