configure-aws-credentials
configure-aws-credentials copied to clipboard
Job with multiple configure-aws-credentials steps and other steps with cleanup
Got into some edge cases around how this action works combined with other actions that use a cleanup step. With following steps in a job, everything works peachy:
steps:
- uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- uses: another-action-that-has-a-cleanup-step@v1
where another-action-that-has-a-cleanup-step
is an action that:
- needs to use the AWS CLI with credentials from the first step
- has a cleanup step
- the cleanup step needs to use the same AWS credentials
Here's an example of such an action: https://github.com/pleo-oss/s3-cache-action
However, if we have some following steps that needs a different set of credentials:
- uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- uses: another-action-that-has-a-cleanup-step@v1
- uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_2 }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_2 }}
- run: make deploy
things don't work anymore. Since the cleanup for the second configure-aws-credentials
step runs before the cleanup step of another-action-that-has-a-cleanup-step
it will wipe the credentials env variables. Even if this action didn't perform a cleanup step, the cleanup step of configure-aws-credentials
would get the credentials from the second step, instead of the expected first.
The ideal scenario would be if the cleanup step of this action brought the environment back to the state it was before the action ran. Only the last cleanup would remove all variables, the cleanup steps before would set the values from the pervious uses of configure-aws-credentials
.
Of course another-action-that-has-a-cleanup-step
could handle its own AWS credentials setup, like many popular actions do. However, this means it would only support one way of authenticating with AWS, e.g. via key id and secret key - which is not even the way recommended by this action.
Any ideas for what to do?