Merge branch 'maintux-nn-feat/add-transitive-tag-keys'

2026-03-12 18:07:10 -04:00 · 2026-01-27 16:00:53 -08:00
parent d746073c3b 4f2ba7fe9c
commit fc999da49a
5 changed files with 32 additions and 2 deletions
--- a/README.md
+++ b/README.md
@@ -141,6 +141,7 @@ See [action.yml](./action.yml) for more detail.
 | role-external-id          | The external ID of the role to assume. Only needed if your role requires it.                      |    No    |
 | role-session-name         | Defaults to "GitHubActions", but may be changed if required.                                      |    No    |
 | role-skip-session-tagging | Skips session tagging if set.                                                                     |    No    |
+| transitive-tag-keys       | Define a list of transitive tag keys to pass when assuming a role.                                |    No    |
 | inline-session-policy     | You may further restrict the assumed role policy by defining an inline policy here.               |    No    |
 | managed-session-policies  | You may further restrict the assumed role policy by specifying a managed policy here.             |    No    |
 | output-credentials        | When set, outputs fetched credentials as action step output. (Outputs aws-access-key-id, aws-secret-access-key, aws-session-token, aws-account-id, authenticated-arn, and aws-expiration). Defaults to false.                   |    No    |
@@ -217,7 +218,7 @@ run.*

 The session will be tagged with the
 following tags: (Refer to [GitHub's documentation for `GITHUB_` environment
-variable definitions](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/using-environment-variables#default-environment-variables))
+variable definitions](https://docs.github.com/en/actions/reference/workflows-and-actions/variables#default-environment-variables))

 | Key        | Value             |
 | ---------- | ----------------- |
@@ -237,6 +238,20 @@ will be replaced with an '*'._

 The action will use session tagging by default unless you are using OIDC.

+To [forward session tags to subsequent sessions in a role chain](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining), 
+you can use the `transitive-tag-keys` input to specify the keys of the tags to be passed.
+
+_Note that all subsequent roles in the chain must have `role-skip-session-tagging` set to `true`_
+```yaml
+      uses: aws-actions/configure-aws-credentials@v5
+      with:
+        transitive-tag-keys: |
+          Repository
+          Workflow
+          Action
+          Actor
+```
+
 ### Session policies
 Session policies are not required, but they allow you to limit the scope of the
 fetched credentials without making changes to IAM roles. You can specify inline
--- a/action.yml
+++ b/action.yml
@@ -55,6 +55,9 @@ inputs:
  role-skip-session-tagging:
    description: Skip session tagging during role assumption
    required: false
+  transitive-tag-keys:
+    description: Define a list of transitive tag keys to pass when assuming a role
+    required: false
  inline-session-policy:
    description: Define an inline session policy to use when assuming a role
    required: false
--- a/src/assumeRole.ts
+++ b/src/assumeRole.ts
@@ -9,6 +9,7 @@ import { errorMessage, isDefined, sanitizeGitHubVariables } from './helpers';

 async function assumeRoleWithOIDC(params: AssumeRoleCommandInput, client: STSClient, webIdentityToken: string) {
  delete params.Tags;
+  delete params.TransitiveTagKeys;
  core.info('Assuming role with OIDC');
  try {
    const creds = await client.send(
@@ -70,6 +71,7 @@ export interface assumeRoleParams {
  roleDuration: number;
  roleSessionName: string;
  roleSkipSessionTagging?: boolean;
+  transitiveTagKeys?: string[];
  sourceAccountId?: string;
  roleExternalId?: string;
  webIdentityTokenFile?: string;
@@ -87,6 +89,7 @@ export async function assumeRole(params: assumeRoleParams) {
    roleDuration,
    roleSessionName,
    roleSkipSessionTagging,
+    transitiveTagKeys,
    webIdentityTokenFile,
    webIdentityToken,
    inlineSessionPolicy,
@@ -121,6 +124,11 @@ export async function assumeRole(params: assumeRoleParams) {
    core.debug(`${tags.length} role session tags are being used.`);
  }

+  //only populate transitiveTagKeys array if user is actually using session tagging
+  const transitiveTagKeysArray = roleSkipSessionTagging
+    ? undefined
+    : transitiveTagKeys?.filter((key) => tags?.some((tag) => tag.Key === key));
+
  // Calculate role ARN from name and account ID (currently only supports `aws` partition)
  let roleArn = roleToAssume;
  if (!roleArn.startsWith('arn:aws')) {
@@ -137,6 +145,7 @@ export async function assumeRole(params: assumeRoleParams) {
    RoleSessionName: roleSessionName,
    DurationSeconds: roleDuration,
    Tags: tags ? tags : undefined,
+    TransitiveTagKeys: transitiveTagKeysArray ? transitiveTagKeysArray : undefined,
    ExternalId: roleExternalId ? roleExternalId : undefined,
    Policy: inlineSessionPolicy ? inlineSessionPolicy : undefined,
    PolicyArns: managedSessionPolicies?.length ? managedSessionPolicies : undefined,
@@ -164,4 +173,4 @@ export async function assumeRole(params: assumeRoleParams) {
    );
  }
  return assumeRoleWithCredentials(commonAssumeRoleParams, stsClient);
-}
+}
--- a/src/helpers.ts
+++ b/src/helpers.ts
@@ -20,6 +20,7 @@ export function translateEnvVariables() {
    'ROLE_EXTERNAL_ID',
    'ROLE_SESSION_NAME',
    'ROLE_SKIP_SESSION_TAGGING',
+    'TRANSITIVE_TAG_KEYS',
    'INLINE_SESSION_POLICY',
    'MANAGED_SESSION_POLICIES',
    'OUTPUT_CREDENTIALS',
--- a/src/index.ts
+++ b/src/index.ts
@@ -38,6 +38,7 @@ export async function run() {
      Number.parseInt(core.getInput('role-duration-seconds', { required: false })) || DEFAULT_ROLE_DURATION;
    const roleSessionName = core.getInput('role-session-name', { required: false }) || ROLE_SESSION_NAME;
    const roleSkipSessionTagging = getBooleanInput('role-skip-session-tagging', { required: false });
+    const transitiveTagKeys = core.getMultilineInput('transitive-tag-keys', { required: false });
    const proxyServer = core.getInput('http-proxy', { required: false }) || process.env.HTTP_PROXY;
    const inlineSessionPolicy = core.getInput('inline-session-policy', { required: false });
    const managedSessionPolicies = core.getMultilineInput('managed-session-policies', { required: false }).map((p) => {
@@ -189,6 +190,7 @@ export async function run() {
              roleDuration,
              roleSessionName,
              roleSkipSessionTagging,
+              transitiveTagKeys,
              webIdentityTokenFile,
              webIdentityToken,
              inlineSessionPolicy,