configure-aws-credentials icon indicating copy to clipboard operation
configure-aws-credentials copied to clipboard

Published 20 hours ago verified publisher icon aws-actions

Job with multiple configure-aws-credentials steps and other steps with cleanup

Open pekala opened this issue 1 year ago • 0 comments

Got into some edge cases around how this action works combined with other actions that use a cleanup step. With following steps in a job, everything works peachy:

steps:
  - uses: aws-actions/configure-aws-credentials@v1
    with:
      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  - uses: another-action-that-has-a-cleanup-step@v1

where another-action-that-has-a-cleanup-step is an action that:

  • needs to use the AWS CLI with credentials from the first step
  • has a cleanup step
  • the cleanup step needs to use the same AWS credentials

Here's an example of such an action: https://github.com/pleo-oss/s3-cache-action

However, if we have some following steps that needs a different set of credentials:

  - uses: aws-actions/configure-aws-credentials@v1
    with:
      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  - uses: another-action-that-has-a-cleanup-step@v1
  - uses: aws-actions/configure-aws-credentials@v1
    with:
      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_2 }}
      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_2 }}
  - run: make deploy

things don't work anymore. Since the cleanup for the second configure-aws-credentials step runs before the cleanup step of another-action-that-has-a-cleanup-step it will wipe the credentials env variables. Even if this action didn't perform a cleanup step, the cleanup step of configure-aws-credentials would get the credentials from the second step, instead of the expected first.

The ideal scenario would be if the cleanup step of this action brought the environment back to the state it was before the action ran. Only the last cleanup would remove all variables, the cleanup steps before would set the values from the pervious uses of configure-aws-credentials.

Of course another-action-that-has-a-cleanup-step could handle its own AWS credentials setup, like many popular actions do. However, this means it would only support one way of authenticating with AWS, e.g. via key id and secret key - which is not even the way recommended by this action.

Any ideas for what to do?

pekala avatar Jul 22 '22 14:07 pekala