configure-aws-credentials
configure-aws-credentials copied to clipboard
feat: add `drop-current-credentials` and `role-output-credentials`
Fixes #236, fixes #379
Description:
-
Add
drop-current-credentials
input which when set totrue
removes AWS credentials prior to assuming the role. Useful when you need to assume multiple roles, based on the original role that was attached to EC2 -
Add
role-output-credentials
input which when set totrue
outputs credentials instead of adding them to environment. Credentials can be referenced in the later steps. This solves certain security problem, and assume multiple roles without adding them to environment
- name: Configure AWS credentials
id: aws
uses: aws-actions/configure-aws-credentials
with:
role-to-assume: arn:aws:iam::1234567890:role/my-role
aws-region: us-east-1
role-output-credentials: true
- name: Identity
env:
AWS_REGION: '${{ steps.aws.outputs.aws-region }}'
AWS_DEFAULT_REGION: '${{ steps.aws.outputs.aws-default-region }}'
AWS_ACCESS_KEY_ID: '${{ steps.aws.outputs.aws-access-key-id }}'
AWS_SECRET_ACCESS_KEY: '${{ steps.aws.outputs.aws-secret-access-key }}'
AWS_SESSION_TOKEN: '${{ steps.aws.outputs.aws-session-token }}'
run: |
aws sts get-caller-identity
- Output assumed role's
aws-account-id
instead of source roles
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
+1 for this. Exporting the env vars by default not only complicates work with multiple profile, but in some cases forces the users to manually clear the variables (by writing empty values to $GITHUB_ENV), because many tools give the env vars precedence over the configuration files.
Howdy! Any progress with that PR? this seems to be breaking composable actions that use that library.
cc @paragbhingre
cc @clareliguori
@aksel What is the actual state of this PR? It will be merge in the near future?
If anyone runs into this:
- There is no way how to unset env var in github action runner https://github.com/actions/runner/issues/1126
- Setting env vars to empty
echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
doesn't work anymore either
This PR is important to make this action usable multiple times per job.
@byF Can u paste the code that does not work for you ? I am still setting up the variables to empty and it works for me
#TODO: Replace shell drop credentials with GHA
# Onnce issue https://github.com/aws-actions/configure-aws-credentials/pull/325 is merged - use default action configuration
- name: reset aws credentials
shell: bash
run: |
echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV
- uses: hmarr/debug-action@v2
Apologies for the delay once more, but I'll be closing this due to staleness. Thanks for the contribution
Hi @peterwoodworth Is this merged ?
@yporwal1 this had to get closed because the PR was abandoned, not that it's the submitters fault or anything. This action was in no-mans land for a while in terms of ownership, but the next version of this action should be coming in the near future, and it has this new feature implemented