chore: add pre-release integ tests (#1457)

* add pre-release integ tests * chore: remove unnecessary sudo and reorganize test files
2026-03-12 18:07:10 -04:00 · 2025-08-29 16:34:59 -07:00
parent 1b2b73eb6a
commit ec8e002276
3 changed files with 211 additions and 0 deletions
--- a/.github/integ_tests/fetch-token.js
+++ b/.github/integ_tests/fetch-token.js
@@ -0,0 +1,12 @@
+import core from "@actions/core";
+import fs from "fs/promises";
+
+async function getIDTokenAction() {
+   const id_token = await core.getIDToken("sts.amazonaws.com");
+   return id_token;
+}
+let idToken = await getIDTokenAction();
+
+await fs.writeFile(".github/integ_tests/integ_token.txt", idToken, (err) => {
+  if (err) throw err;
+});
--- a/.github/integ_tests/tinyproxy.conf
+++ b/.github/integ_tests/tinyproxy.conf
@@ -0,0 +1,6 @@
+Port 9999
+Listen 127.0.0.1
+Timeout 600
+Allow 127.0.0.1
+LogFile "/home/runner/work/configure-aws-credentials/configure-aws-credentials/integ_proxy_log.txt"
+LogLevel Connect
--- a/.github/workflows/tests-integ-release.yml
+++ b/.github/workflows/tests-integ-release.yml
@@ -0,0 +1,193 @@
+name: Run pre-release integ tests
+on: 
+    pull_request_target:
+permissions:
+    contents: read
+
+jobs:
+  oidc:
+    if: ${{ github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials' }}
+    permissions: 
+        id-token: write
+    strategy: 
+        fail-fast: false
+        matrix:
+            os: [windows-latest, ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    name: OIDC login test
+    steps:
+      - name: checkout
+        uses: actions/checkout@v5
+        with:
+            fetch-depth: 0
+            persist-credentials: false
+      - name: Configure AWS credentials
+        uses: ./
+        with:
+            aws-region: us-west-2
+            role-to-assume: ${{ secrets.OIDC_integ_role }}
+      - name: Get Caller Identity
+        run: |
+            aws sts get-caller-identity
+
+  #can cut this test out if it's not necessary
+  static_assumeRole:
+    if: ${{ github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials' }}
+    strategy: 
+        fail-fast: false
+        matrix:
+            os: [windows-latest, ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    name: Static IAM creds test
+    steps:
+      - name: checkout
+        uses: actions/checkout@v5
+        with:
+            fetch-depth: 0
+            persist-credentials: false
+      - name: Configure AWS credentials
+        uses: ./
+        with:
+            aws-region: us-west-2
+            aws-access-key-id: ${{ secrets.STATIC_ak_id }}
+            aws-secret-access-key: ${{ secrets.STATIC_secret_ak }}
+            role-to-assume: ${{ secrets.STATIC_role }}
+      - name: Get Caller Identity
+        run: |
+          aws sts get-caller-identity
+
+  role_chaining:
+    if: ${{ github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials' }}
+    permissions: 
+        id-token: write
+    strategy: 
+        fail-fast: false
+        matrix:
+            os: [windows-latest, ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    name: Existing Creds + Role Chaining test
+    steps:
+      - name: checkout
+        uses: actions/checkout@v5
+        with:
+            fetch-depth: 0
+            persist-credentials: false    
+      - name: Configure AWS credentials
+        uses: ./
+        with:
+            aws-region: us-west-2
+            role-to-assume: ${{ secrets.ROLE_chaining_1 }}
+      - name: Get Caller Identity
+        run: |
+          aws sts get-caller-identity
+      - name: assume second role
+        uses: ./
+        with:
+            aws-region: us-west-2
+            role-to-assume: ${{ secrets.ROLE_chaining_2 }}
+            role-chaining: true
+      - name: get caller identity
+        run: |
+          aws sts get-caller-identity
+
+  inline_policy:
+    if: ${{ github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials' }}
+    permissions: 
+        id-token: write
+    strategy: 
+        fail-fast: false
+        matrix:
+            os: [windows-latest, ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    name: Inline Policy Test
+    steps:
+      - name: checkout
+        uses: actions/checkout@v5
+        with:
+            fetch-depth: 0
+            persist-credentials: false  
+      - name: get creds w scoped down policy
+        uses: ./
+        with: 
+            aws-region: us-west-2
+            role-to-assume: ${{ secrets.INLINE_policy_role }}
+            inline-session-policy: '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"}]}'
+    
+      #NOTE: This step should succeed. The role should have permission only to list all buckets.
+      - name: list buckets
+        run: |
+          aws s3 ls
+
+      #NOTE: This step should fail. we don't want the role to have permission to see the bucket contents.    
+      - name: try to list bucket contents
+        id: bucketContentsStep
+        continue-on-error: true
+        run: |
+          aws s3 ls s3://cawsc-integ-tests-bucket
+
+      #But the test fails if we could list the bucket contents.
+      - name: fail if we can list bucket contents
+        if: steps.bucketContentsStep.outcome == 'success'
+        run: exit 1
+
+  http-proxy:
+    if: ${{ github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials' }}
+    permissions:
+        id-token: write
+    runs-on: ubuntu-latest
+    name: HTTP Proxy Test
+    steps:
+      - name: checkout
+        uses: actions/checkout@v5
+        with:
+            fetch-depth: 0
+            persist-credentials: false  
+      - name: install tinyproxy
+        run: |
+          sudo apt-get update
+          sudo apt-get -y install tinyproxy
+      - name: start tinyproxy
+        run: tinyproxy -c .github/integ_tests/tinyproxy.conf
+      - name: Configure AWS credentials
+        continue-on-error: true
+        uses: ./
+        with:
+            aws-region: us-west-2
+            role-to-assume: ${{ secrets.OIDC_integ_role }}
+            http-proxy: http://127.0.0.1:9999
+            retry-max-attempts: 4
+      - name: checkout logs 
+        run: cat integ_proxy_log.txt
+      - name: check logs to see if successful call
+        run: grep -q "Request" integ_proxy_log.txt && echo "PROXY_CALL_LOGGED=1" >> $GITHUB_ENV || echo "PROXY_CALL_LOGGED=0" >> $GITHUB_ENV
+      - name: fail job if bad call 
+        if: ${{ env.PROXY_CALL_LOGGED != 1 }}
+        run: exit 1
+
+  token-file:
+    if: ${{ github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials' }}
+    permissions:
+        id-token: write
+    strategy: 
+      fail-fast: false
+      matrix:
+        os: [windows-latest, ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    name: Token File Test
+    steps:
+      - name: checkout
+        uses: actions/checkout@v5
+        with:
+            fetch-depth: 0
+            persist-credentials: false
+      - name: fetch token and write to file
+        run: node .github/integ_tests/fetch-token.js
+      - name: get creds with that file
+        uses: ./
+        with:
+            aws-region: us-west-2
+            role-to-assume: ${{ secrets.OIDC_integ_role }}
+            web-identity-token-file: .github/integ_tests/integ_token.txt
+            retry-max-attempts: 4
+      - name: check creds
+        run: aws sts get-caller-identity