name: Run pre-release integ tests on: pull_request_target: workflow_dispatch: permissions: contents: read jobs: oidc: if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }} permissions: id-token: write strategy: fail-fast: false matrix: os: [windows-latest, ubuntu-latest, macos-latest] runs-on: ${{ matrix.os }} name: OIDC login test steps: - name: checkout uses: actions/checkout@v5 with: fetch-depth: 0 persist-credentials: false - name: Configure AWS credentials uses: ./ with: aws-region: us-west-2 role-to-assume: ${{ secrets.OIDC_integ_role }} - name: Get Caller Identity run: | aws sts get-caller-identity #can cut this test out if it's not necessary static_assumeRole: if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }} permissions: id-token: write strategy: fail-fast: false matrix: os: [windows-latest, ubuntu-latest, macos-latest] runs-on: ${{ matrix.os }} defaults: run: shell: bash name: Static IAM creds test steps: - name: checkout uses: actions/checkout@v5 with: fetch-depth: 0 persist-credentials: false - name: assume creator Role uses: ./ with: aws-region: us-west-2 role-to-assume: ${{ secrets.STATIC_USER_CREATION_ROLE }} - name: create and mask access key id: create-key run: | AK_OUTPUT=$(aws iam create-access-key --user-name integ-test-static-user-${{ runner.os }}) AK_ID=$(echo $AK_OUTPUT | jq -r '.AccessKey.AccessKeyId') SECRET_AK=$(echo $AK_OUTPUT | jq -r '.AccessKey.SecretAccessKey') echo "::add-mask::$AK_ID" echo "::add-mask::$SECRET_AK" echo "STATIC_ACCESS_KEY_ID=$AK_ID" >> $GITHUB_OUTPUT echo "STATIC_SECRET_ACCESS_KEY=$SECRET_AK" >> $GITHUB_OUTPUT - name: sleep so key can propagate run: sleep 30 - name: assume role with static creds uses: ./ with: aws-region: us-west-2 role-to-assume: ${{ secrets.STATIC_TEST_TARGET_ROLE }} aws-access-key-id: ${{ steps.create-key.outputs.STATIC_ACCESS_KEY_ID }} aws-secret-access-key: ${{ steps.create-key.outputs.STATIC_SECRET_ACCESS_KEY }} - name: check account run: aws sts get-caller-identity - name: log back into creator role if: success() || failure() uses: ./ with: aws-region: us-west-2 role-to-assume: ${{ secrets.STATIC_USER_CREATION_ROLE }} - name: delete access key if: success() || failure() run: | aws iam delete-access-key --user-name integ-test-static-user-${{ runner.os }} --access-key-id ${{ steps.create-key.outputs.STATIC_ACCESS_KEY_ID }} role_chaining: if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }} permissions: id-token: write strategy: fail-fast: false matrix: os: [windows-latest, ubuntu-latest, macos-latest] runs-on: ${{ matrix.os }} name: Existing Creds + Role Chaining test steps: - name: checkout uses: actions/checkout@v5 with: fetch-depth: 0 persist-credentials: false - name: Configure AWS credentials uses: ./ with: aws-region: us-west-2 role-to-assume: ${{ secrets.ROLE_chaining_1 }} - name: Get Caller Identity run: | aws sts get-caller-identity - name: assume second role uses: ./ with: aws-region: us-west-2 role-to-assume: ${{ secrets.ROLE_chaining_2 }} role-chaining: true - name: get caller identity run: | aws sts get-caller-identity inline_policy: if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }} permissions: id-token: write strategy: fail-fast: false matrix: os: [ubuntu-latest, macos-latest] runs-on: ${{ matrix.os }} name: Inline Policy Test steps: - name: checkout uses: actions/checkout@v5 with: fetch-depth: 0 persist-credentials: false - name: get creds w scoped down policy uses: ./ with: aws-region: us-west-2 role-to-assume: ${{ secrets.INLINE_policy_role }} inline-session-policy: '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"}]}' #NOTE: This step should succeed. The role should have permission only to list all buckets. - name: list buckets run: aws s3 ls > /dev/null #NOTE: This step should fail. we don't want the role to have permission to see the bucket contents. - name: try to list bucket contents id: bucketContentsStep continue-on-error: true run: aws s3 ls s3://cawsc-integ-tests-bucket > /dev/null #But the test fails if we could list the bucket contents. - name: fail if we can list bucket contents if: steps.bucketContentsStep.outcome == 'success' run: exit 1 http-proxy: if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }} permissions: id-token: write runs-on: ubuntu-latest name: HTTP Proxy Test steps: - name: checkout uses: actions/checkout@v5 with: fetch-depth: 0 persist-credentials: false - name: install tinyproxy run: | sudo apt-get update sudo apt-get -y install tinyproxy - name: start tinyproxy run: tinyproxy -c .github/integ_tests/tinyproxy.conf - name: Configure AWS credentials continue-on-error: true uses: ./ with: aws-region: us-west-2 role-to-assume: ${{ secrets.OIDC_integ_role }} http-proxy: http://127.0.0.1:9999 retry-max-attempts: 4 - name: checkout logs run: cat integ_proxy_log.txt - name: check logs to see if successful call run: grep -q "Request" integ_proxy_log.txt && echo "PROXY_CALL_LOGGED=1" >> $GITHUB_ENV || echo "PROXY_CALL_LOGGED=0" >> $GITHUB_ENV - name: fail job if bad call if: ${{ env.PROXY_CALL_LOGGED != 1 }} run: exit 1 token-file: if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }} permissions: id-token: write strategy: fail-fast: false matrix: os: [windows-latest, ubuntu-latest, macos-latest] runs-on: ${{ matrix.os }} name: Token File Test steps: - name: checkout uses: actions/checkout@v5 with: fetch-depth: 0 persist-credentials: false - name: fetch token and write to file uses: actions/github-script@v7 with: script: | const fs = require('fs'); async function getIDTokenAction() { const id_token = await core.getIDToken("sts.amazonaws.com"); return id_token; } const idToken = await getIDTokenAction(); fs.writeFileSync(".github/integ_tests/integ_token.txt", idToken, (err) => { if (err) throw err; }); - name: get creds with that file uses: ./ with: aws-region: us-west-2 role-to-assume: ${{ secrets.OIDC_integ_role }} web-identity-token-file: .github/integ_tests/integ_token.txt retry-max-attempts: 4 - name: check creds run: aws sts get-caller-identity