configure-aws-credentials icon indicating copy to clipboard operation
configure-aws-credentials copied to clipboard

Published 20 hours ago verified publisher icon aws-actions

feat: add `drop-current-credentials` and `role-output-credentials`

Open blz-ea opened this issue 2 years ago • 7 comments

Fixes #236, fixes #379

Description:

  • Add drop-current-credentials input which when set to true removes AWS credentials prior to assuming the role. Useful when you need to assume multiple roles, based on the original role that was attached to EC2

  • Add role-output-credentials input which when set to true outputs credentials instead of adding them to environment. Credentials can be referenced in the later steps. This solves certain security problem, and assume multiple roles without adding them to environment

    - name: Configure AWS credentials
      id: aws
      uses: aws-actions/configure-aws-credentials
      with:
        role-to-assume: arn:aws:iam::1234567890:role/my-role
        aws-region: us-east-1
        role-output-credentials: true

    - name: Identity
      env:
        AWS_REGION: '${{ steps.aws.outputs.aws-region }}'
        AWS_DEFAULT_REGION: '${{ steps.aws.outputs.aws-default-region }}'
        AWS_ACCESS_KEY_ID: '${{ steps.aws.outputs.aws-access-key-id }}'
        AWS_SECRET_ACCESS_KEY: '${{ steps.aws.outputs.aws-secret-access-key }}'
        AWS_SESSION_TOKEN: '${{ steps.aws.outputs.aws-session-token }}'
      run: |
        aws sts get-caller-identity
  • Output assumed role's aws-account-id instead of source roles

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

blz-ea avatar Dec 04 '21 17:12 blz-ea

+1 for this. Exporting the env vars by default not only complicates work with multiple profile, but in some cases forces the users to manually clear the variables (by writing empty values to $GITHUB_ENV), because many tools give the env vars precedence over the configuration files.

kdomanski avatar Feb 20 '22 15:02 kdomanski

Howdy! Any progress with that PR? this seems to be breaking composable actions that use that library.

pragmaticivan avatar Mar 17 '22 13:03 pragmaticivan

cc @paragbhingre

kdomanski avatar Mar 27 '22 22:03 kdomanski

cc @clareliguori

pragmaticivan avatar Mar 28 '22 13:03 pragmaticivan

@aksel What is the actual state of this PR? It will be merge in the near future?

xoanmm avatar Jun 06 '22 20:06 xoanmm

If anyone runs into this:

  1. There is no way how to unset env var in github action runner https://github.com/actions/runner/issues/1126
  2. Setting env vars to empty echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV doesn't work anymore either

This PR is important to make this action usable multiple times per job.

byF avatar Aug 11 '22 15:08 byF

@byF Can u paste the code that does not work for you ? I am still setting up the variables to empty and it works for me

      #TODO: Replace shell drop credentials with GHA
      # Onnce issue https://github.com/aws-actions/configure-aws-credentials/pull/325 is merged - use default action configuration
      - name: reset aws credentials
        shell: bash
        run: |
            echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
            echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
            echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV

      - uses: hmarr/debug-action@v2

RafPe avatar Aug 16 '22 22:08 RafPe

Apologies for the delay once more, but I'll be closing this due to staleness. Thanks for the contribution

peterwoodworth avatar Feb 22 '23 02:02 peterwoodworth

Hi @peterwoodworth Is this merged ?

yporwal1 avatar Jul 06 '23 14:07 yporwal1

@yporwal1 this had to get closed because the PR was abandoned, not that it's the submitters fault or anything. This action was in no-mans land for a while in terms of ownership, but the next version of this action should be coming in the near future, and it has this new feature implemented

peterwoodworth avatar Jul 06 '23 20:07 peterwoodworth