name: '"Configure AWS Credentials" Action for GitHub Actions'
description: Configures AWS credentials for use in subsequent steps in a GitHub Action workflow
runs:
  using: node20
  main: dist/index.js
  post: dist/cleanup/index.js
branding:
  color: orange
  icon: cloud
inputs:
  aws-region:
    description: AWS Region, e.g. us-east-2
    required: true
  role-to-assume:
    description: The Amazon Resource Name (ARN) of the role to assume. Use the provided credentials to assume an IAM role and configure the Actions environment with the assumed role credentials rather than with the provided credentials.
    required: false
  aws-access-key-id:
    description: AWS Access Key ID. Provide this key if you want to assume a role using access keys rather than a web identity token.
    required: false
  aws-secret-access-key:
    description: AWS Secret Access Key. Required if aws-access-key-id is provided.
    required: false
  aws-session-token:
    description: AWS Session Token.
    required: false
  web-identity-token-file:
    description: Use the web identity token file from the provided file system path in order to assume an IAM role using a web identity, e.g. from within an Amazon EKS worker node.
    required: false
  role-chaining:
    description: Use existing credentials from the environment to assume a new role, rather than providing credentials as input.
    required: false
  audience:
    description: The audience to use for the OIDC provider
    required: false
    default: sts.amazonaws.com
  http-proxy:
    description: Proxy to use for the AWS SDK agent
    required: false
  no-proxy:
    description: Hosts to skip for the proxy configuration
    required: false
  mask-aws-account-id:
    description: Whether to mask the AWS account ID for these credentials as a secret value. By default the account ID will not be masked
    required: false
  role-duration-seconds:
    description: Role duration in seconds. Default is one hour.
    required: false
  role-external-id:
    description: The external ID of the role to assume.
    required: false
  role-session-name:
    description: "Role session name (default: GitHubActions)"
    required: false
  role-skip-session-tagging:
    description: Skip session tagging during role assumption
    required: false
  transitive-tag-keys:
    description: Define a list of transitive tag keys to pass when assuming a role
    required: false
  inline-session-policy:
    description: Define an inline session policy to use when assuming a role
    required: false
  managed-session-policies:
    description: Define a list of managed session policies to use when assuming a role
    required: false
  output-credentials:
    description: Whether to set credentials as step output
    required: false
  output-env-credentials:
    description: Whether to export credentials as environment variables. If you set this to false, you probably want to use output-credentials.
    required: false
    default: true
  unset-current-credentials:
    description: Whether to unset the existing credentials in your runner. May be useful if you run this action multiple times in the same job
    required: false
  disable-retry:
    description: Whether to disable the retry and backoff mechanism when the assume role call fails. By default the retry mechanism is enabled
    required: false
  retry-max-attempts:
    description: The maximum number of attempts it will attempt to retry the assume role call. By default it will retry 12 times
    required: false
  special-characters-workaround:
    description: Some environments do not support special characters in AWS_SECRET_ACCESS_KEY. This option will retry fetching credentials until the secret access key does not contain special characters. This option overrides disable-retry and retry-max-attempts. This option is disabled by default
    required: false
  use-existing-credentials:
    required: false
    description: When enabled, this option will check if there are already valid credentials in the environment. If there are, new credentials will not be fetched. If there are not, the action will run as normal.
  allowed-account-ids:
    required: false
    description: An option comma-delimited list of expected AWS account IDs. The action will fail if we receive credentials for the wrong account.
  force-skip-oidc:
    required: false
    description: When enabled, this option will skip using GitHub OIDC provider even if the id-token permission is set. This is sometimes useful when using IAM instance credentials.
  action-timeout-s:
    required: false
    description: A global timeout in seconds for the action. When the timeout is reached, the action immediately exits. The default is to run without a timeout.

outputs:
  aws-account-id:
    description: The AWS account ID for the provided credentials
  aws-access-key-id:
    description: The AWS access key ID for the provided credentials
  aws-secret-access-key:
    description: The AWS secret access key for the provided credentials
  aws-session-token:
    description: The AWS session token for the provided credentials
  aws-expiration:
    description: The expiration time for the provided credentials