mirror of
https://github.com/aws-actions/configure-aws-credentials.git
synced 2026-03-12 18:07:10 -04:00
235 lines
8.4 KiB
YAML
235 lines
8.4 KiB
YAML
name: Run pre-release integ tests
|
|
on:
|
|
pull_request_target:
|
|
workflow_dispatch:
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
oidc:
|
|
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }}
|
|
permissions:
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [windows-latest, ubuntu-latest, macos-latest]
|
|
runs-on: ${{ matrix.os }}
|
|
name: OIDC login test
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: Configure AWS credentials
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.OIDC_integ_role }}
|
|
- name: Get Caller Identity
|
|
run: |
|
|
aws sts get-caller-identity
|
|
|
|
#can cut this test out if it's not necessary
|
|
static_assumeRole:
|
|
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }}
|
|
permissions:
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [windows-latest, ubuntu-latest, macos-latest]
|
|
runs-on: ${{ matrix.os }}
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
name: Static IAM creds test
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: assume creator Role
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.STATIC_USER_CREATION_ROLE }}
|
|
- name: create and mask access key
|
|
id: create-key
|
|
run: |
|
|
AK_OUTPUT=$(aws iam create-access-key --user-name integ-test-static-user-${{ runner.os }})
|
|
AK_ID=$(echo $AK_OUTPUT | jq -r '.AccessKey.AccessKeyId')
|
|
SECRET_AK=$(echo $AK_OUTPUT | jq -r '.AccessKey.SecretAccessKey')
|
|
echo "::add-mask::$AK_ID"
|
|
echo "::add-mask::$SECRET_AK"
|
|
echo "STATIC_ACCESS_KEY_ID=$AK_ID" >> $GITHUB_OUTPUT
|
|
echo "STATIC_SECRET_ACCESS_KEY=$SECRET_AK" >> $GITHUB_OUTPUT
|
|
- name: sleep so key can propagate
|
|
run: sleep 30
|
|
- name: assume role with static creds
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.STATIC_TEST_TARGET_ROLE }}
|
|
aws-access-key-id: ${{ steps.create-key.outputs.STATIC_ACCESS_KEY_ID }}
|
|
aws-secret-access-key: ${{ steps.create-key.outputs.STATIC_SECRET_ACCESS_KEY }}
|
|
- name: check account
|
|
run: aws sts get-caller-identity
|
|
- name: log back into creator role
|
|
if: success() || failure()
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.STATIC_USER_CREATION_ROLE }}
|
|
- name: delete access key
|
|
if: success() || failure()
|
|
run: |
|
|
aws iam delete-access-key --user-name integ-test-static-user-${{ runner.os }} --access-key-id ${{ steps.create-key.outputs.STATIC_ACCESS_KEY_ID }}
|
|
|
|
role_chaining:
|
|
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }}
|
|
permissions:
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [windows-latest, ubuntu-latest, macos-latest]
|
|
runs-on: ${{ matrix.os }}
|
|
name: Existing Creds + Role Chaining test
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: Configure AWS credentials
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.ROLE_chaining_1 }}
|
|
- name: Get Caller Identity
|
|
run: |
|
|
aws sts get-caller-identity
|
|
- name: assume second role
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.ROLE_chaining_2 }}
|
|
role-chaining: true
|
|
- name: get caller identity
|
|
run: |
|
|
aws sts get-caller-identity
|
|
|
|
inline_policy:
|
|
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }}
|
|
permissions:
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest]
|
|
runs-on: ${{ matrix.os }}
|
|
name: Inline Policy Test
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: get creds w scoped down policy
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.INLINE_policy_role }}
|
|
inline-session-policy: '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"}]}'
|
|
|
|
#NOTE: This step should succeed. The role should have permission only to list all buckets.
|
|
- name: list buckets
|
|
run: aws s3 ls > /dev/null
|
|
|
|
#NOTE: This step should fail. we don't want the role to have permission to see the bucket contents.
|
|
- name: try to list bucket contents
|
|
id: bucketContentsStep
|
|
continue-on-error: true
|
|
run: aws s3 ls s3://cawsc-integ-tests-bucket > /dev/null
|
|
|
|
#But the test fails if we could list the bucket contents.
|
|
- name: fail if we can list bucket contents
|
|
if: steps.bucketContentsStep.outcome == 'success'
|
|
run: exit 1
|
|
|
|
http-proxy:
|
|
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }}
|
|
permissions:
|
|
id-token: write
|
|
runs-on: ubuntu-latest
|
|
name: HTTP Proxy Test
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: install tinyproxy
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get -y install tinyproxy
|
|
- name: start tinyproxy
|
|
run: tinyproxy -c .github/integ_tests/tinyproxy.conf
|
|
- name: Configure AWS credentials
|
|
continue-on-error: true
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.OIDC_integ_role }}
|
|
http-proxy: http://127.0.0.1:9999
|
|
retry-max-attempts: 4
|
|
- name: checkout logs
|
|
run: cat integ_proxy_log.txt
|
|
- name: check logs to see if successful call
|
|
run: grep -q "Request" integ_proxy_log.txt && echo "PROXY_CALL_LOGGED=1" >> $GITHUB_ENV || echo "PROXY_CALL_LOGGED=0" >> $GITHUB_ENV
|
|
- name: fail job if bad call
|
|
if: ${{ env.PROXY_CALL_LOGGED != 1 }}
|
|
run: exit 1
|
|
|
|
token-file:
|
|
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.user.login == 'aws-sdk-osds' && github.repository == 'aws-actions/configure-aws-credentials') }}
|
|
permissions:
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [windows-latest, ubuntu-latest, macos-latest]
|
|
runs-on: ${{ matrix.os }}
|
|
name: Token File Test
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: fetch token and write to file
|
|
uses: actions/github-script@v7
|
|
with:
|
|
script: |
|
|
const fs = require('fs');
|
|
async function getIDTokenAction() {
|
|
const id_token = await core.getIDToken("sts.amazonaws.com");
|
|
return id_token;
|
|
}
|
|
const idToken = await getIDTokenAction();
|
|
fs.writeFileSync(".github/integ_tests/integ_token.txt", idToken, (err) => {
|
|
if (err) throw err;
|
|
});
|
|
- name: get creds with that file
|
|
uses: ./
|
|
with:
|
|
aws-region: us-west-2
|
|
role-to-assume: ${{ secrets.OIDC_integ_role }}
|
|
web-identity-token-file: .github/integ_tests/integ_token.txt
|
|
retry-max-attempts: 4
|
|
- name: check creds
|
|
run: aws sts get-caller-identity
|