Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(sts): implment action for setting up IAM credentials in workflow…
… environment
- Loading branch information
1 parent
6ea5d6c
commit 6d69c04
Showing
8 changed files
with
166 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,23 +1,23 @@ | ||
name: "AWS S3 sync GitHub action" | ||
description: "Sync locally generated artifacts to an S3 bucket" | ||
name: 'AWS S3 sync GitHub action' | ||
description: 'Sync locally generated artifacts to an S3 bucket' | ||
branding: | ||
icon: "cloud" | ||
color: "orange" | ||
icon: 'cloud' | ||
color: 'orange' | ||
inputs: | ||
local-path: | ||
description: "Path to local directory to synchronize with S3" | ||
description: 'Path to local directory to synchronize with S3' | ||
required: true | ||
bucket-name: | ||
description: 'S3 bucket name (not ARN nor URI "s3://xxx", just the bucket name)' | ||
required: true | ||
path-prefix: | ||
description: "S3 prefix path where object(s) will be syncrhonized to" | ||
description: 'S3 prefix path where object(s) will be syncrhonized to' | ||
required: false | ||
default: "" | ||
default: '' | ||
args: | ||
description: 'Optional "awscli s3 sync" cli args - https://docs.aws.amazon.com/cli/latest/reference/s3/sync.html#synopsis' | ||
required: false | ||
default: "" | ||
default: '' | ||
runs: | ||
using: "node12" | ||
main: "dist/index.js" | ||
using: 'node12' | ||
main: 'dist/index.js' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
name: 'AWS STS credential GitHub action' | ||
description: 'Configure AWS credentials for use with the AWS CLI and AWS SDKs' | ||
branding: | ||
icon: 'cloud' | ||
color: 'orange' | ||
inputs: | ||
aws-region: | ||
description: 'AWS Region to send the request to. If defined, this environment variable overrides the value for the profile setting region' | ||
required: true | ||
aws-access-key-id: | ||
description: 'AWS access key associated with an IAM user or role' | ||
required: true | ||
aws-secret-access-key: | ||
description: 'Specifies the secret key associated with the access key' | ||
required: true | ||
aws-session-token: | ||
description: 'Specifies the session token value that is required if you are using temporary security credentials that you retrieved directly from AWS STS operations' | ||
required: false | ||
mask-aws-account-id: | ||
description: 'Determine if AWS account ID should be hidden from stdout as a secret value' | ||
required: false | ||
assume-role: | ||
description: 'Determine if role should be assumed to generate credentials' | ||
required: false | ||
role-arn: | ||
description: 'The Amazon Resource Name (ARN) of the role to assume' | ||
required: false | ||
role-session-name: | ||
description: 'An identifier for the assumed role session' | ||
required: false | ||
duration-seconds: | ||
description: 'The duration, in seconds, of the role session' | ||
required: false | ||
default: '900' | ||
external-id: | ||
description: 'A unique identifier that might be required when you assume a role in another account' | ||
required: false | ||
outputs: | ||
aws-account-id: | ||
description: 'The AWS account ID for the provided credentials' | ||
runs: | ||
using: 'node12' | ||
main: 'dist/index.js' |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
import * as core from '@actions/core'; | ||
import * as Sts from 'aws-sdk/clients/sts'; | ||
|
||
interface AwsEnvValues { | ||
accessKeyId: string; | ||
secretAccessKey: string; | ||
region: string; | ||
sessionToken?: string; | ||
maskAccountId: string; | ||
} | ||
|
||
function exportEnvVariables(config: AwsEnvValues): void { | ||
// Export values as environment variables | ||
// https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html | ||
core.exportVariable('AWS_ACCESS_KEY_ID', config.accessKeyId); | ||
core.exportVariable('AWS_SECRET_ACCESS_KEY', config.secretAccessKey); | ||
if (config.sessionToken) { | ||
core.exportVariable('AWS_SESSION_TOKEN', config.sessionToken); | ||
} | ||
core.exportVariable('AWS_DEFAULT_REGION', config.region); | ||
core.exportVariable('AWS_REGION', config.region); | ||
} | ||
|
||
const run = async (): Promise<void> => { | ||
try { | ||
// Inputs: | ||
const region = core.getInput('aws-region', { required: true }); | ||
const accessKeyId = core.getInput('aws-access-key-id', { required: true }); | ||
const secretAccessKey = core.getInput('aws-secret-access-key', { required: true }); | ||
const sessionToken = core.getInput('aws-session-token', { required: false }); | ||
const maskAccountId = core.getInput('mask-aws-account-id', { required: false }); | ||
const envValues: AwsEnvValues = { | ||
region, | ||
accessKeyId, | ||
secretAccessKey, | ||
sessionToken, | ||
maskAccountId, | ||
}; | ||
exportEnvVariables(envValues); | ||
|
||
// Assume role inputs: | ||
const assumeRole = core.getInput('assume-role', { required: false }); | ||
const useAssumeRole = assumeRole && assumeRole.toLowerCase() == 'true'; | ||
const roleArn = core.getInput('role-arn', { required: useAssumeRole }); | ||
const roleSessionName = core.getInput('role-session-name', { required: useAssumeRole }); | ||
const durationSeconds = core.getInput('duration-seconds', { required: false }); | ||
const parsedDurationSeconds = Math.max(parseInt(durationSeconds), 900); | ||
const externalId = core.getInput('external-id', { required: false }); | ||
|
||
const sts = new Sts({ | ||
apiVersion: '2011-06-15', | ||
customUserAgent: 'aws-github-actions-sts', | ||
}); | ||
|
||
const params = { | ||
RoleArn: roleArn, | ||
RoleSessionName: roleSessionName, | ||
DurationSecond: parsedDurationSeconds, | ||
ExternalId: externalId, | ||
}; | ||
|
||
// If assuming role, assume then re-export creds to environment | ||
if (useAssumeRole) { | ||
const role = await sts.assumeRole(params).promise(); | ||
envValues.accessKeyId = role.Credentials.AccessKeyId; | ||
envValues.secretAccessKey = role.Credentials.SecretAccessKey; | ||
envValues.sessionToken = role.Credentials.SessionToken; | ||
exportEnvVariables(envValues); | ||
} | ||
|
||
// Get AWS account ID | ||
const identity = await sts.getCallerIdentity().promise(); | ||
const accountId = identity.Account; | ||
core.setOutput('aws-account-id', accountId); | ||
if (!envValues.maskAccountId || envValues.maskAccountId.toLowerCase() == 'true') { | ||
core.setSecret(accountId); | ||
} | ||
} catch (error) { | ||
core.setFailed(error.message); | ||
} | ||
}; | ||
|
||
run(); | ||
|
||
export default run; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
{ | ||
"name": "sts", | ||
"version": "0.1.0", | ||
"description": "Configure AWS credentials for use with the AWS CLI and AWS SDKs", | ||
"main": "index.ts", | ||
"dependencies": { | ||
"aws-sdk": "^2.596.0" | ||
}, | ||
"devDependencies": { | ||
"@types/node": "^13.1.2" | ||
}, | ||
"scripts": { | ||
"compile": "node ../../node_modules/@zeit/ncc/dist/ncc/cli.js build -m", | ||
"test": "echo \"Error: no test specified\" && exit 1" | ||
}, | ||
"author": "clowd.haus", | ||
"license": "Apache-2.0" | ||
} |