configure-aws-credentials
configure-aws-credentials copied to clipboard
aws-actions
Support option to generate session token based on IAM User
New Issue description
I would like to use this action to generate a session token based on an IAM User. This can be done by using the GetSessionToken API call
Original Issue
Hi, i've been trying to get the aws credentials initialized for a job and then run a terraform init on a s3 backend for the terraform state.
after running the configure-aws-credentials action there is no AWS_SESSION_TOKEN set.
I dumped the env var to validate :
AWS_DEFAULT_REGION=ca-central-1 AWS_REGION=ca-central-1 AWS_SECRET_ACCESS_KEY=*** AWS_ACCESS_KEY_ID=***
so when I get to running terraform it tells me : Error: error configuring S3 Backend: IAM Role xxxxx cannot be assumed.
When I look at the code, the function exportCredentials is where this env variable is set but, it is only referenced in two locations.
-
inside the assume role context , called with : exportCredentials(roleCredentials);
-
early in the run function to export the accesKeyId and secretAccessKey env variables.
if I am not assuming a role, sessionToken is never initialized it seems and never exported.
am I missing something? pretty new to actions so any help will be appreciated!
it's not working for me as well, it uses the local keys of the self hosted runner even if i give it custom ones :(
Can I get some clarification on how exactly you're trying to authenticate and what you're expecting the action to do? Please share your workflow file, thanks
Hi @peterwoodworth,
the authentication I was trying to do was fairly simple, it ended up having to be this :
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ca-central-1
role-to-assume: xxxxxxxxxx
- name: terraform format
id: fmt
run: terraform fmt -check -diff
- name: terraform init
id: init
run: terraform init -backend-config prod.hcl
If I omitted the role-to-assume in the "with" section, it would not generate a valid authentication in the env variables that are required for using terraform afterwards in the workflow.
so in essence, if I am logging in with a simple username / password and not assuming any roles, then authentication would fail in the terraform init command.
in other words : the ouput from aws-actions/configure-aws-credentials@v1 for setting up the env is / was not complete when not assuming a role
in this example, the statefile is a file on a S3 bucket and a dynamo db is used for remote state locking
is this clearer ?
Thanks for the explanation @semora81,
We don't currently support setting the session token when using keys as your authentication method and not supplying a role. To support that, we would need to implement an option to use the GetSessionToken API call. This API call is AFAIK the only way to generate a non-federation session token without specifying a role.
For now if you need to use a session token to authenticate with terraform, you will need to specify a role to assume.
Yeah, assuming a role is what my code has ended up doing since I had opened this!
I think I remember doing it manually with the Amazon CLI or curl, and yes, I had to call the getsessiontoken api to get a session token back, and then set it up in env, so I could call terraform.
When I started this I had no role setup in the target account and I was trying to test with a service account we had setup in IAM.
Thanks for the update!