configure-aws-credentials
configure-aws-credentials copied to clipboard
aws-actions
Assuming two roles in the same in composite action can't override previous step credential
Summary
If I use configure-aws-credentials in composite action multiple times, it can't override previous credential.
Is it bug or expected behaviour?
Expected behaviour
There are 2 pattern work as expected.
Pattern A
If I call multiple aws-actions/configure-aws-credentials in workflow, it works as expected.
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
# 1st
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@master
with:
aws-region: ap-northeast-1
role-to-assume: arn:aws:iam::123456789012:role/myrole_A
role-session-name: GitHubActions-${{ github.run_id }}
- name: get-caller-identity shows myrole_A as expected
run: aws sts get-caller-identity
# 2nd
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@master
with:
aws-region: ap-northeast-1
role-to-assume: arn:aws:iam::123456789012:role/myrole_B
role-session-name: GitHubActions-${{ github.run_id }}
- name: get-caller-identity shows myrole_B as expected
run: aws sts get-caller-identity
1st get-caller-identity shows myrole_A.
{
"UserId": "AROASJXUOK5UM7XZKRYTB:GitHubActions-1426675663",
"Account": "***",
"Arn": "arn:aws:sts::***:assumed-role/myrole_A/GitHubActions-1426675663"
}
2nd get-caller-identity shows myrole_B.
{
"UserId": "AROASJXUOK5UM7XZKRYTB:GitHubActions-1426675663",
"Account": "***",
"Arn": "arn:aws:sts::***:assumed-role/myrole_B/GitHubActions-1426675663"
}
Pattern B
If I call multiple aws-actions/configure-aws-credentials in composite actions, it works as expected.
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS Credentials
uses: ./.github/actions/aws_oidc_auth_all
# ./.github/actions/aws_oidc_auth_all/action.yaml
name: aws oidc auth
description: |
Get aws oidc auth.
runs:
using: "composite"
steps:
# 1st
- name: Configure AWS Credentials (Role A)
uses: aws-actions/configure-aws-credentials@master
with:
aws-region: ap-northeast-1
role-to-assume: arn:aws:iam::123456789012:role/myrole_A
role-session-name: GitHubActions-${{ github.run_id }}
- name: get-caller-identity shows myrole_A as expected
run: aws sts get-caller-identity
shell: bash
# 2nd
- name: Configure AWS Credentials (Role B)
uses: aws-actions/configure-aws-credentials@master
with:
aws-region: ap-northeast-1
role-to-assume: arn:aws:iam::123456789012:role/myrole_B
role-session-name: GitHubActions-${{ github.run_id }}
- name: get-caller-identity shows myrole_B as expected
run: aws sts get-caller-identity
shell: bash
1st get-caller-identity shows myrole_A.
{
"UserId": "AROASJXUOK5UM7XZKRYTB:GitHubActions-1426687022",
"Account": "***",
"Arn": "arn:aws:sts::***:assumed-role/myrole_A/GitHubActions-1426687022"
}
2nd get-caller-identity shows myrole_B.
{
"UserId": "AROASJXUOK5UHN4XWD3XF:GitHubActions-1426687022",
"Account": "***",
"Arn": "arn:aws:sts::***:assumed-role/myrole_B/GitHubActions-1426687022"
}
Actual behaviour
Pattern C. If I call composite actions include aws-actions/configure-aws-credentials, then call same composite actions in same job, 2nd call of composite action not override aws credentials.
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
# 1st <- Shows myrole_A, expected.
- name: Configure AWS Credentials (Role A)
uses: ./.github/actions/aws_oidc_auth_single
with:
role-to-assume: arn:aws:iam::123456789012:role/myrole_A
# 2nd <- Shows myrole_A, unexpected!!
- name: Configure AWS Credentials (Role B)
uses: ./.github/actions/aws_oidc_auth_single
with:
role-to-assume: arn:aws:iam::123456789012:role/myrole_B
# ./.github/actions/aws_oidc_auth_single/action.yaml
name: aws oidc auth
description: |
Get aws oidc auth.
inputs:
role-to-assume:
description: "AWS IAM Role to assume 1"
required: true
runs:
using: "composite" # this is key point
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@master
with:
aws-region: ap-northeast-1
role-to-assume: ${{ inputs.role-to-assume }}
role-session-name: GitHubActions-${{ github.run_id }}
- name: get-caller-identity shows myrole_A on both 1st and 2nd run. (2nd run must be myrole_B but incorrect result.)
run: aws sts get-caller-identity
shell: bash
1st get-caller-identity shows myrole_A.
{
"UserId": "AROASJXUOK5UM7XZKRYTB:GitHubActions-1426687028",
"Account": "***",
"Arn": "arn:aws:sts::***:assumed-role/myrole_A/GitHubActions-1426687028"
}
However, 2nd get-caller-identity also shows myrole_A.
{
"UserId": "AROASJXUOK5UHN4XWD3XF:GitHubActions-1426687028",
"Account": "***",
"Arn": "arn:aws:sts::***:assumed-role/myrole_A/GitHubActions-1426687028"
}
Reproduce step
- Create IAM Roles myrole_A and myrole_B to accept OIDC Request.
- Prepare composite actions
./.github/actions/aws_oidc_auth_single/action.yaml - Prepare workflow.
- Run workflow and confirm both 1st and 2nd call of composite action shows "myrole_A"
unsetting these vars works...
env:
AWS_ACCESS_KEY_ID: ""
AWS_SECRET_ACCESS_KEY: ""
AWS_SESSION_TOKEN: ""
AWS_DEFAULT_REGION: ""
AWS_REGION: ""
@ZacharyBenamram Interesting. I've try reset env on action(s Configure AWS Credentials, but no luck.
name: aws oidc auth
description: |
Get aws oidc auth.
inputs:
role-to-assume:
description: "AWS IAM Role to assume 1"
required: true
runs:
using: "composite" # this is key point
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@master
with:
aws-region: ap-northeast-1
role-to-assume: ${{ inputs.role-to-assume }}
role-session-name: GitHubActions-${{ github.run_id }}
env:
AWS_ACCESS_KEY_ID: ""
AWS_SECRET_ACCESS_KEY: ""
AWS_SESSION_TOKEN: ""
AWS_DEFAULT_REGION: ""
AWS_REGION: ""
- name: get-caller-identity is allowed to run on role.
run: aws sts get-caller-identity
shell: bash
2nd Configure AWS Credentials is not updated. (same as 1st run's role)
this seems to be caused by this underlying issue: https://github.com/actions/runner/issues/789
I would love for this issue to be fixed, or the underlying one. And I'm also curious about potential workarounds
This was probably suggested multiple times over multiple issues, but why not set creds as configure-aws-credentials outputs in addition to exporting them?
This would provide a workaround for the https://github.com/actions/runner/issues/789 and seems to be a good practice anyway, as it does not pollute whole job's env.
For anyone still looking for workaround you can find a temporary fix described here https://github.com/aws-actions/configure-aws-credentials/issues/236#issuecomment-881033383
I'm standing on the shoulders of giants with this, but here is something that I whipped up to meet my use case: https://github.com/marketplace/actions/configure-aws-profile
Really seems like it should be a piece of cake to add an option that skips the call to exportCredentials for users that require multiple profiles be authenticated.
Force exporting the AWS_* keys makes this a royal PITA for anyone with more than 1 AWS account to work with in a single job..
A different combination between enabling unset-current-credentials and role-chaining should work for any instances where this action is invoked multiple times. You can do this on v3, check out the README.
Please open up a new issue if you continue to have problems, it seems there are different problems being described in the comments of this issue
** Note ** Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}