actions
actions copied to clipboard
apex
Multiple AWS credentials per workflow
How can I specify two different aws credentials (accounts) for a build? I want to be able to deploy to separate aws accounts (staging / production).
I think you'd have to filter on the branches you want, then create two different deployment actions in order to tweak config
Yeah, I was going to go this route. I wasn't sure how multiple workflow files worked. I wish when you filter, you can choose to close the entire workflow execution or just cancel the branch, so I can start with a filter and continue with a branch.
I'm going through this, and creating a new workflow and using "AWS_ACCESS_KEY_ID" or "AWS_SECRET_ACCESS_KEY" secrets don't let me reset the value. Secrets are persisted for the entire action area... :(
ah damn, that's kind of lame, otherwise yeah you could have two concurrent filters for the two branches and do it that way, hmm... haha
@tj exactly. actions is pretty amazing, they still have a long way to go. Even if I could do "secrets per branch" type of thing, that'd be cool.
I finally got a successful SAM + "staging" branch deploy, so I'm going to test a production one today and hope to knock it out.
My current solution is storing the AWS credentials file as a secret "AWS_CREDENTIALS", running a plain bash action to create a .aws/credentials file within my repository, and setting the SAM to use it.
action "create aws credentials" {
uses = "actions/bin/sh@master"
needs = "filter staging branch"
secrets = ["AWS_CREDENTIALS"]
args = ["rm -rf ${GITHUB_WORKSPACE}/.aws && mkdir ./.aws && echo \"$AWS_CREDENTIALS\" >> ${GITHUB_WORKSPACE}/.aws/credentials"]
}
action "staging sam package" {
uses = "apex/actions/aws/sam@master"
needs = "create aws credentials"
args = "package --profile example-${NODE_ENV} --template-file template.yml --output-template-file template-packaged.yml --s3-bucket example-${NODE_ENV}"
env = {
NODE_ENV = "staging"
AWS_SHARED_CREDENTIALS_FILE = "${GITHUB_WORKSPACE}/.aws/credentials"
}
}
This way worked, just need to copy paste (😭) and change things to production. I was hoping I could create an action and dynamically set the NODE_ENV variable to have it all be non-copy/pasta, but it doesn't save env variables throughout.
@j did creating two action workflows work for you? I'm still confused on how to load a separate AwS profile for prod and staging.
@pavan-shipmnts its been a while now, I forget haha, I think it worked but I don't use GH Actions since I work solo, there might be a better way to approach environments now that GH Actions is more mature
You can use the AWS CLI to create multiple profiles:
- name: Set AWS Credentials
run: |
aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }} --profile firstProfile
aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} --profile firstProfile
aws configure set region ${ secrets.AWS_DEFAULT_REGION} --profile firstProfile
aws_assume=($(aws sts assume-role \
--role-arn "arn:aws:iam::${accountId}:role/${roleName}" \
--role-session-name "${roleSessionName}" \
--profile firstProfile \
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \
--output text))
aws configure set aws_access_key_id "${aws_assume[0]}" --profile secondProfile
aws configure set aws_secret_access_key "${aws_assume[1]}" --profile secondProfile
aws configure set aws_session_token "${aws_assume[2]}" --profile secondProfile
You can use the --profile ${name} flag in basically every aws command. After your set those credentials, just pass the flag with the name you want for each command.
