From 71400f7cbcdbcd9c3446476c3855bedbfabcc1ab Mon Sep 17 00:00:00 2001 From: Justin Date: Fri, 8 Jan 2021 15:40:32 +1030 Subject: [PATCH 01/22] Update entrypoint.sh Allows a user to assume role --- entrypoint.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 466e69c..dc4b40d 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -27,6 +27,11 @@ if [ -n "$AWS_S3_ENDPOINT" ]; then ENDPOINT_APPEND="--endpoint-url $AWS_S3_ENDPOINT" fi +# Assume Role if user sets AWS_ASSUMED_ROLE. +if [ -n "$AWS_ASSUMED_ROLE" ]; then + aws sts assume-role --role-arn "$AWS_ASSUMED_ROLE" --role-session-name "S3 Update CI" +fi + # Create a dedicated profile for this action to avoid conflicts # with past/future actions. # https://github.com/jakejarvis/s3-sync-action/issues/1 From fe96c523269486f082a3d57fded854b9eace03e4 Mon Sep 17 00:00:00 2001 From: Justin Date: Fri, 8 Jan 2021 15:56:02 +1030 Subject: [PATCH 02/22] Update entrypoint.sh --- entrypoint.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index dc4b40d..4285450 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -29,7 +29,11 @@ fi # Assume Role if user sets AWS_ASSUMED_ROLE. if [ -n "$AWS_ASSUMED_ROLE" ]; then + aws iam list-roles --query "Roles[?RoleName == '$AWS_ASSUMED_ROLE'].[RoleName, Arn]" aws sts assume-role --role-arn "$AWS_ASSUMED_ROLE" --role-session-name "S3 Update CI" + export AWS_ACCESS_KEY_ID=RoleAccessKeyID + export AWS_SECRET_ACCESS_KEY=RoleSecretKey + export AWS_SESSION_TOKEN=RoleSessionToken fi # Create a dedicated profile for this action to avoid conflicts From 91eeada1a6b8d7980ff7c95342a20146261242ce Mon Sep 17 00:00:00 2001 From: Justin Date: Fri, 8 Jan 2021 16:00:05 +1030 Subject: [PATCH 03/22] Update entrypoint.sh assume role after configure --- entrypoint.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 4285450..50dfd2f 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -27,15 +27,6 @@ if [ -n "$AWS_S3_ENDPOINT" ]; then ENDPOINT_APPEND="--endpoint-url $AWS_S3_ENDPOINT" fi -# Assume Role if user sets AWS_ASSUMED_ROLE. -if [ -n "$AWS_ASSUMED_ROLE" ]; then - aws iam list-roles --query "Roles[?RoleName == '$AWS_ASSUMED_ROLE'].[RoleName, Arn]" - aws sts assume-role --role-arn "$AWS_ASSUMED_ROLE" --role-session-name "S3 Update CI" - export AWS_ACCESS_KEY_ID=RoleAccessKeyID - export AWS_SECRET_ACCESS_KEY=RoleSecretKey - export AWS_SESSION_TOKEN=RoleSessionToken -fi - # Create a dedicated profile for this action to avoid conflicts # with past/future actions. # https://github.com/jakejarvis/s3-sync-action/issues/1 @@ -46,6 +37,15 @@ ${AWS_REGION} text EOF +# Assume Role if user sets AWS_ASSUMED_ROLE. +if [ -n "$AWS_ASSUMED_ROLE" ]; then + aws iam list-roles --query "Roles[?RoleName == '$AWS_ASSUMED_ROLE'].[RoleName, Arn]" + aws sts assume-role --role-arn "$AWS_ASSUMED_ROLE" --role-session-name "S3 Update CI" + export AWS_ACCESS_KEY_ID=RoleAccessKeyID + export AWS_SECRET_ACCESS_KEY=RoleSecretKey + export AWS_SESSION_TOKEN=RoleSessionToken +fi + # Sync using our dedicated profile and suppress verbose messages. # All other flags are optional via the `args:` directive. sh -c "aws s3 sync ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \ From bc2658600dc9b650edb3ba4cff5a8120144601ae Mon Sep 17 00:00:00 2001 From: Justin Date: Fri, 8 Jan 2021 16:04:55 +1030 Subject: [PATCH 04/22] Update entrypoint.sh --- entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/entrypoint.sh b/entrypoint.sh index 50dfd2f..608b0c0 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -39,6 +39,7 @@ EOF # Assume Role if user sets AWS_ASSUMED_ROLE. if [ -n "$AWS_ASSUMED_ROLE" ]; then + aws sts get-caller-identity aws iam list-roles --query "Roles[?RoleName == '$AWS_ASSUMED_ROLE'].[RoleName, Arn]" aws sts assume-role --role-arn "$AWS_ASSUMED_ROLE" --role-session-name "S3 Update CI" export AWS_ACCESS_KEY_ID=RoleAccessKeyID From 2338fc5d4801719856d31bdef6cde5a0d0256d6e Mon Sep 17 00:00:00 2001 From: Justin Date: Fri, 8 Jan 2021 16:15:06 +1030 Subject: [PATCH 05/22] Update entrypoint.sh --- entrypoint.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 608b0c0..70dc015 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -39,12 +39,13 @@ EOF # Assume Role if user sets AWS_ASSUMED_ROLE. if [ -n "$AWS_ASSUMED_ROLE" ]; then - aws sts get-caller-identity - aws iam list-roles --query "Roles[?RoleName == '$AWS_ASSUMED_ROLE'].[RoleName, Arn]" - aws sts assume-role --role-arn "$AWS_ASSUMED_ROLE" --role-session-name "S3 Update CI" - export AWS_ACCESS_KEY_ID=RoleAccessKeyID - export AWS_SECRET_ACCESS_KEY=RoleSecretKey - export AWS_SESSION_TOKEN=RoleSessionToken + role_arn="$AWS_ASSUMED_ROLE" +# aws sts get-caller-identity +# aws iam list-roles --query "Roles[?RoleName == '$AWS_ASSUMED_ROLE'].[RoleName, Arn]" +# aws sts assume-role --role-arn "$AWS_ASSUMED_ROLE" --role-session-name "S3 Update CI" +# export AWS_ACCESS_KEY_ID=RoleAccessKeyID +# export AWS_SECRET_ACCESS_KEY=RoleSecretKey +# export AWS_SESSION_TOKEN=RoleSessionToken fi # Sync using our dedicated profile and suppress verbose messages. From 92b988d7cece472dd7ba1ec65408b03ee6fe6a08 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 08:54:03 +1030 Subject: [PATCH 06/22] Update README.md --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ecd0d31..be98bd6 100644 --- a/README.md +++ b/README.md @@ -38,8 +38,9 @@ jobs: AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_REGION: 'us-west-1' # optional: defaults to us-east-1 - SOURCE_DIR: 'public' # optional: defaults to entire repository + AWS_REGION: 'us-west-1' # optional: defaults to us-east-1 + AWS_ASSUMED_ROLE: ${{ secrets.AWS_ASSUMED_ROLE }} # optional: defaults to not assumed role + SOURCE_DIR: 'public' # optional: defaults to entire repository ``` @@ -53,6 +54,7 @@ The following settings must be passed as environment variables as shown in the e | `AWS_SECRET_ACCESS_KEY` | Your AWS Secret Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret env` | **Yes** | N/A | | `AWS_S3_BUCKET` | The name of the bucket you're syncing to. For example, `jarv.is` or `my-app-releases`. | `secret env` | **Yes** | N/A | | `AWS_REGION` | The region where you created your bucket. Set to `us-east-1` by default. [Full list of regions here.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) | `env` | No | `us-east-1` | +| `AWS_ASSUMED_ROLE` | The ARN of a role being assumed to deploy to S3 Bucket | `env` | No | null | | `AWS_S3_ENDPOINT` | The endpoint URL of the bucket you're syncing to. Can be used for [VPC scenarios](https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/) or for non-AWS services using the S3 API, like [DigitalOcean Spaces](https://www.digitalocean.com/community/tools/adapting-an-existing-aws-s3-application-to-digitalocean-spaces). | `env` | No | Automatic (`s3.amazonaws.com` or AWS's region-specific equivalent) | | `SOURCE_DIR` | The local directory (or file) you wish to sync/upload to S3. For example, `public`. Defaults to your entire repository. | `env` | No | `./` (root of cloned repository) | | `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. For example, `my_project/assets`. Defaults to the root of the bucket. | `env` | No | `/` (root of bucket) | From 3e2a28aba3f8823ade61e716dec72c0eab9a0ad8 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 08:54:28 +1030 Subject: [PATCH 07/22] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index be98bd6..aa9d19b 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ The following settings must be passed as environment variables as shown in the e | `AWS_SECRET_ACCESS_KEY` | Your AWS Secret Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret env` | **Yes** | N/A | | `AWS_S3_BUCKET` | The name of the bucket you're syncing to. For example, `jarv.is` or `my-app-releases`. | `secret env` | **Yes** | N/A | | `AWS_REGION` | The region where you created your bucket. Set to `us-east-1` by default. [Full list of regions here.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) | `env` | No | `us-east-1` | -| `AWS_ASSUMED_ROLE` | The ARN of a role being assumed to deploy to S3 Bucket | `env` | No | null | +| `AWS_ASSUMED_ROLE` | The ARN of a role being assumed to deploy to S3 Bucket | `env` | No | N/A | | `AWS_S3_ENDPOINT` | The endpoint URL of the bucket you're syncing to. Can be used for [VPC scenarios](https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/) or for non-AWS services using the S3 API, like [DigitalOcean Spaces](https://www.digitalocean.com/community/tools/adapting-an-existing-aws-s3-application-to-digitalocean-spaces). | `env` | No | Automatic (`s3.amazonaws.com` or AWS's region-specific equivalent) | | `SOURCE_DIR` | The local directory (or file) you wish to sync/upload to S3. For example, `public`. Defaults to your entire repository. | `env` | No | `./` (root of cloned repository) | | `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. For example, `my_project/assets`. Defaults to the root of the bucket. | `env` | No | `/` (root of bucket) | From 9df70fbbfc36e50b876e0f644bda4fd871096723 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 08:54:58 +1030 Subject: [PATCH 08/22] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index aa9d19b..ca6eba6 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ The following settings must be passed as environment variables as shown in the e | `AWS_SECRET_ACCESS_KEY` | Your AWS Secret Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret env` | **Yes** | N/A | | `AWS_S3_BUCKET` | The name of the bucket you're syncing to. For example, `jarv.is` or `my-app-releases`. | `secret env` | **Yes** | N/A | | `AWS_REGION` | The region where you created your bucket. Set to `us-east-1` by default. [Full list of regions here.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) | `env` | No | `us-east-1` | -| `AWS_ASSUMED_ROLE` | The ARN of a role being assumed to deploy to S3 Bucket | `env` | No | N/A | +| `AWS_ASSUMED_ROLE` | The ARN of a role being assumed to deploy to S3 Bucket | `secret env` | No | N/A | | `AWS_S3_ENDPOINT` | The endpoint URL of the bucket you're syncing to. Can be used for [VPC scenarios](https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/) or for non-AWS services using the S3 API, like [DigitalOcean Spaces](https://www.digitalocean.com/community/tools/adapting-an-existing-aws-s3-application-to-digitalocean-spaces). | `env` | No | Automatic (`s3.amazonaws.com` or AWS's region-specific equivalent) | | `SOURCE_DIR` | The local directory (or file) you wish to sync/upload to S3. For example, `public`. Defaults to your entire repository. | `env` | No | `./` (root of cloned repository) | | `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. For example, `my_project/assets`. Defaults to the root of the bucket. | `env` | No | `/` (root of bucket) | From 875d9a3eff462980ced46a6c23ecdf2f8f8cfc9b Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 10:04:41 +1030 Subject: [PATCH 09/22] Update entrypoint.sh try to assume a role --- entrypoint.sh | 47 +++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 41 insertions(+), 6 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 70dc015..06f88e0 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,5 +1,23 @@ #!/bin/sh +SaveCredentials() { + [[ -d ~/.assumerole.d/cache ]] || mkdir -p ~/.assumerole.d/cache + + echo "export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}" > ~/.assumerole.d/cache/${aws_account} + echo "export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}" >> ~/.assumerole.d/cache/${aws_account} + echo "export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}" >> ~/.assumerole.d/cache/${aws_account} + echo "export ROLE=${ROLE}" >> ~/.assumerole.d/cache/${aws_account} + echo "export ACCOUNT=${ACCOUNT}" >> ~/.assumerole.d/cache/${aws_account} + echo "export AWS_ACCOUNT_ID=${ACCOUNT}" >> ~/.assumerole.d/cache/${aws_account} + echo "export aws_account=${aws_account}" >> ~/.assumerole.d/cache/${aws_account} + echo "export AWS_ACCOUNT=${aws_account}" >> ~/.assumerole.d/cache/${aws_account} + echo "export AWS_EXPIRATION=${AWS_EXPIRATION}" >> ~/.assumerole.d/cache/${aws_account} + echo "export SSHKEY=${SSHKEY}" >> ~/.assumerole.d/cache/${aws_account} + echo ${ASSUMEROLE_ENV} >> ~/.assumerole.d/cache/${aws_account} + + chmod 0600 ~/.assumerole.d/cache/${aws_account} +} + set -e if [ -z "$AWS_S3_BUCKET" ]; then @@ -40,12 +58,29 @@ EOF # Assume Role if user sets AWS_ASSUMED_ROLE. if [ -n "$AWS_ASSUMED_ROLE" ]; then role_arn="$AWS_ASSUMED_ROLE" -# aws sts get-caller-identity -# aws iam list-roles --query "Roles[?RoleName == '$AWS_ASSUMED_ROLE'].[RoleName, Arn]" -# aws sts assume-role --role-arn "$AWS_ASSUMED_ROLE" --role-session-name "S3 Update CI" -# export AWS_ACCESS_KEY_ID=RoleAccessKeyID -# export AWS_SECRET_ACCESS_KEY=RoleSecretKey -# export AWS_SESSION_TOKEN=RoleSessionToken + + export AWS_PROFILE=${PROFILE} + + JSON=$(aws sts assume-role \ + --role-arn "$AWS_ASSUMED_ROLE" \ + --role-session-name "S3 Update CI" \ + --duration-seconds 600 + 2>/dev/null) || { echo "Error assuming role"; exit 1; } + + AWS_ACCESS_KEY_ID=$(echo ${JSON} | jq --raw-output ".Credentials[\"AccessKeyId\"]") + AWS_SECRET_ACCESS_KEY=$(echo ${JSON} | jq --raw-output ".Credentials[\"SecretAccessKey\"]") + AWS_SESSION_TOKEN=$(echo ${JSON} | jq --raw-output ".Credentials[\"SessionToken\"]") + AWS_EXPIRATION=$(echo ${JSON} | jq --raw-output ".Credentials[\"Expiration\"]") + + unset AWS_PROFILE + + export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} + export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} + export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} + export AWS_ACCOUNT=${aws_account} + export AWS_ACCOUNT_ID=${ACCOUNT} + + SaveCredentials fi # Sync using our dedicated profile and suppress verbose messages. From 4eb5f24d59b6b8c6de2ff177a803cb4efe37491a Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 10:10:29 +1030 Subject: [PATCH 10/22] Update entrypoint.sh --- entrypoint.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 06f88e0..c823631 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -66,12 +66,6 @@ if [ -n "$AWS_ASSUMED_ROLE" ]; then --role-session-name "S3 Update CI" \ --duration-seconds 600 2>/dev/null) || { echo "Error assuming role"; exit 1; } - - AWS_ACCESS_KEY_ID=$(echo ${JSON} | jq --raw-output ".Credentials[\"AccessKeyId\"]") - AWS_SECRET_ACCESS_KEY=$(echo ${JSON} | jq --raw-output ".Credentials[\"SecretAccessKey\"]") - AWS_SESSION_TOKEN=$(echo ${JSON} | jq --raw-output ".Credentials[\"SessionToken\"]") - AWS_EXPIRATION=$(echo ${JSON} | jq --raw-output ".Credentials[\"Expiration\"]") - unset AWS_PROFILE export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} From 6793d2a3598dec906643b430c5d8b0d3ed83810b Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 10:13:57 +1030 Subject: [PATCH 11/22] Update entrypoint.sh --- entrypoint.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index c823631..a18c09f 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -66,6 +66,12 @@ if [ -n "$AWS_ASSUMED_ROLE" ]; then --role-session-name "S3 Update CI" \ --duration-seconds 600 2>/dev/null) || { echo "Error assuming role"; exit 1; } + + AWS_ACCESS_KEY_ID=$(echo ${JSON} | jq --raw-output ".Credentials[\"AccessKeyId\"]") + AWS_SECRET_ACCESS_KEY=$(echo ${JSON} | jq --raw-output ".Credentials[\"SecretAccessKey\"]") + AWS_SESSION_TOKEN=$(echo ${JSON} | jq --raw-output ".Credentials[\"SessionToken\"]") + AWS_EXPIRATION=$(echo ${JSON} | jq --raw-output ".Credentials[\"Expiration\"]") + unset AWS_PROFILE export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} @@ -74,7 +80,7 @@ if [ -n "$AWS_ASSUMED_ROLE" ]; then export AWS_ACCOUNT=${aws_account} export AWS_ACCOUNT_ID=${ACCOUNT} - SaveCredentials + # SaveCredentials fi # Sync using our dedicated profile and suppress verbose messages. From e10a0c08693857242eb4124271002c239961d807 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 10:17:20 +1030 Subject: [PATCH 12/22] Update entrypoint.sh --- entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index a18c09f..f8bf09a 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,5 +1,7 @@ #!/bin/sh +apt-get install jq + SaveCredentials() { [[ -d ~/.assumerole.d/cache ]] || mkdir -p ~/.assumerole.d/cache From 3343fad59f09d446ec710ec84ba1e6a7610f6e28 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 10:23:49 +1030 Subject: [PATCH 13/22] Update entrypoint.sh --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index f8bf09a..2bd1f6e 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/sh -apt-get install jq +sudo apt-get install jq SaveCredentials() { [[ -d ~/.assumerole.d/cache ]] || mkdir -p ~/.assumerole.d/cache From 522ac5ef4fb99599468a8379a82213915c7b7eed Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 10:34:46 +1030 Subject: [PATCH 14/22] Update entrypoint.sh --- entrypoint.sh | 22 +--------------------- 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 2bd1f6e..0cd3690 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,25 +1,5 @@ #!/bin/sh -sudo apt-get install jq - -SaveCredentials() { - [[ -d ~/.assumerole.d/cache ]] || mkdir -p ~/.assumerole.d/cache - - echo "export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}" > ~/.assumerole.d/cache/${aws_account} - echo "export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}" >> ~/.assumerole.d/cache/${aws_account} - echo "export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}" >> ~/.assumerole.d/cache/${aws_account} - echo "export ROLE=${ROLE}" >> ~/.assumerole.d/cache/${aws_account} - echo "export ACCOUNT=${ACCOUNT}" >> ~/.assumerole.d/cache/${aws_account} - echo "export AWS_ACCOUNT_ID=${ACCOUNT}" >> ~/.assumerole.d/cache/${aws_account} - echo "export aws_account=${aws_account}" >> ~/.assumerole.d/cache/${aws_account} - echo "export AWS_ACCOUNT=${aws_account}" >> ~/.assumerole.d/cache/${aws_account} - echo "export AWS_EXPIRATION=${AWS_EXPIRATION}" >> ~/.assumerole.d/cache/${aws_account} - echo "export SSHKEY=${SSHKEY}" >> ~/.assumerole.d/cache/${aws_account} - echo ${ASSUMEROLE_ENV} >> ~/.assumerole.d/cache/${aws_account} - - chmod 0600 ~/.assumerole.d/cache/${aws_account} -} - set -e if [ -z "$AWS_S3_BUCKET" ]; then @@ -68,7 +48,7 @@ if [ -n "$AWS_ASSUMED_ROLE" ]; then --role-session-name "S3 Update CI" \ --duration-seconds 600 2>/dev/null) || { echo "Error assuming role"; exit 1; } - + echo ${JSON} AWS_ACCESS_KEY_ID=$(echo ${JSON} | jq --raw-output ".Credentials[\"AccessKeyId\"]") AWS_SECRET_ACCESS_KEY=$(echo ${JSON} | jq --raw-output ".Credentials[\"SecretAccessKey\"]") AWS_SESSION_TOKEN=$(echo ${JSON} | jq --raw-output ".Credentials[\"SessionToken\"]") From 461f294ed1744da4bb59e58bfe63c4185ffc1ca9 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 11:52:01 +1030 Subject: [PATCH 15/22] Update entrypoint.sh --- entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 0cd3690..c4ae67c 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,5 +1,7 @@ #!/bin/sh +sudo apt-get install jq + set -e if [ -z "$AWS_S3_BUCKET" ]; then From a85e96674188cc46139591a82740b041208663d1 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 15:52:23 +1030 Subject: [PATCH 16/22] Update entrypoint.sh comment out and try to inherit from github action configure credentials --- entrypoint.sh | 56 +++++++++++++++++++++++++-------------------------- 1 file changed, 27 insertions(+), 29 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index c4ae67c..ff1b2ee 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,7 +1,5 @@ #!/bin/sh -sudo apt-get install jq - set -e if [ -z "$AWS_S3_BUCKET" ]; then @@ -32,40 +30,40 @@ fi # Create a dedicated profile for this action to avoid conflicts # with past/future actions. # https://github.com/jakejarvis/s3-sync-action/issues/1 -aws configure --profile s3-sync-action <<-EOF > /dev/null 2>&1 -${AWS_ACCESS_KEY_ID} -${AWS_SECRET_ACCESS_KEY} -${AWS_REGION} -text -EOF +# aws configure --profile s3-sync-action <<-EOF > /dev/null 2>&1 +# ${AWS_ACCESS_KEY_ID} +# ${AWS_SECRET_ACCESS_KEY} +# ${AWS_REGION} +# text +# EOF # Assume Role if user sets AWS_ASSUMED_ROLE. -if [ -n "$AWS_ASSUMED_ROLE" ]; then - role_arn="$AWS_ASSUMED_ROLE" +# if [ -n "$AWS_ASSUMED_ROLE" ]; then +# role_arn="$AWS_ASSUMED_ROLE" - export AWS_PROFILE=${PROFILE} +# export AWS_PROFILE=${PROFILE} - JSON=$(aws sts assume-role \ - --role-arn "$AWS_ASSUMED_ROLE" \ - --role-session-name "S3 Update CI" \ - --duration-seconds 600 - 2>/dev/null) || { echo "Error assuming role"; exit 1; } - echo ${JSON} - AWS_ACCESS_KEY_ID=$(echo ${JSON} | jq --raw-output ".Credentials[\"AccessKeyId\"]") - AWS_SECRET_ACCESS_KEY=$(echo ${JSON} | jq --raw-output ".Credentials[\"SecretAccessKey\"]") - AWS_SESSION_TOKEN=$(echo ${JSON} | jq --raw-output ".Credentials[\"SessionToken\"]") - AWS_EXPIRATION=$(echo ${JSON} | jq --raw-output ".Credentials[\"Expiration\"]") +# JSON=$(aws sts assume-role \ +# --role-arn "$AWS_ASSUMED_ROLE" \ +# --role-session-name "S3 Update CI" \ +# --duration-seconds 600 +# 2>/dev/null) || { echo "Error assuming role"; exit 1; } +# echo ${JSON} +# AWS_ACCESS_KEY_ID=$(echo ${JSON} | jq --raw-output ".Credentials[\"AccessKeyId\"]") +# AWS_SECRET_ACCESS_KEY=$(echo ${JSON} | jq --raw-output ".Credentials[\"SecretAccessKey\"]") +# AWS_SESSION_TOKEN=$(echo ${JSON} | jq --raw-output ".Credentials[\"SessionToken\"]") +# AWS_EXPIRATION=$(echo ${JSON} | jq --raw-output ".Credentials[\"Expiration\"]") - unset AWS_PROFILE +# unset AWS_PROFILE - export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} - export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} - export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} - export AWS_ACCOUNT=${aws_account} - export AWS_ACCOUNT_ID=${ACCOUNT} +# export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} +# export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} +# export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} +# export AWS_ACCOUNT=${aws_account} +# export AWS_ACCOUNT_ID=${ACCOUNT} - # SaveCredentials -fi +# # SaveCredentials +# fi # Sync using our dedicated profile and suppress verbose messages. # All other flags are optional via the `args:` directive. From b56cd4a94b57f37730a0594ffe32cb1827e69404 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 15:54:07 +1030 Subject: [PATCH 17/22] Update entrypoint.sh --- entrypoint.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index ff1b2ee..9a0ead3 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -7,15 +7,15 @@ if [ -z "$AWS_S3_BUCKET" ]; then exit 1 fi -if [ -z "$AWS_ACCESS_KEY_ID" ]; then - echo "AWS_ACCESS_KEY_ID is not set. Quitting." - exit 1 -fi +# if [ -z "$AWS_ACCESS_KEY_ID" ]; then +# echo "AWS_ACCESS_KEY_ID is not set. Quitting." +# exit 1 +# fi -if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_SECRET_ACCESS_KEY is not set. Quitting." - exit 1 -fi +# if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then +# echo "AWS_SECRET_ACCESS_KEY is not set. Quitting." +# exit 1 +# fi # Default to us-east-1 if AWS_REGION not set. if [ -z "$AWS_REGION" ]; then From 1f3bfd525464c3c946bc2e1ba9f64cf5f6a4ea1d Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 16:06:49 +1030 Subject: [PATCH 18/22] Update entrypoint.sh --- entrypoint.sh | 43 ------------------------------------------- 1 file changed, 43 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 9a0ead3..af3d4eb 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -27,9 +27,6 @@ if [ -n "$AWS_S3_ENDPOINT" ]; then ENDPOINT_APPEND="--endpoint-url $AWS_S3_ENDPOINT" fi -# Create a dedicated profile for this action to avoid conflicts -# with past/future actions. -# https://github.com/jakejarvis/s3-sync-action/issues/1 # aws configure --profile s3-sync-action <<-EOF > /dev/null 2>&1 # ${AWS_ACCESS_KEY_ID} # ${AWS_SECRET_ACCESS_KEY} @@ -37,48 +34,8 @@ fi # text # EOF -# Assume Role if user sets AWS_ASSUMED_ROLE. -# if [ -n "$AWS_ASSUMED_ROLE" ]; then -# role_arn="$AWS_ASSUMED_ROLE" - -# export AWS_PROFILE=${PROFILE} - -# JSON=$(aws sts assume-role \ -# --role-arn "$AWS_ASSUMED_ROLE" \ -# --role-session-name "S3 Update CI" \ -# --duration-seconds 600 -# 2>/dev/null) || { echo "Error assuming role"; exit 1; } -# echo ${JSON} -# AWS_ACCESS_KEY_ID=$(echo ${JSON} | jq --raw-output ".Credentials[\"AccessKeyId\"]") -# AWS_SECRET_ACCESS_KEY=$(echo ${JSON} | jq --raw-output ".Credentials[\"SecretAccessKey\"]") -# AWS_SESSION_TOKEN=$(echo ${JSON} | jq --raw-output ".Credentials[\"SessionToken\"]") -# AWS_EXPIRATION=$(echo ${JSON} | jq --raw-output ".Credentials[\"Expiration\"]") - -# unset AWS_PROFILE - -# export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} -# export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} -# export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} -# export AWS_ACCOUNT=${aws_account} -# export AWS_ACCOUNT_ID=${ACCOUNT} - -# # SaveCredentials -# fi - # Sync using our dedicated profile and suppress verbose messages. # All other flags are optional via the `args:` directive. sh -c "aws s3 sync ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \ - --profile s3-sync-action \ --no-progress \ ${ENDPOINT_APPEND} $*" - -# Clear out credentials after we're done. -# We need to re-run `aws configure` with bogus input instead of -# deleting ~/.aws in case there are other credentials living there. -# https://forums.aws.amazon.com/thread.jspa?threadID=148833 -aws configure --profile s3-sync-action <<-EOF > /dev/null 2>&1 -null -null -null -text -EOF From 301a060a8736b02f398299734a6a7afa7a36b6d5 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 16:13:24 +1030 Subject: [PATCH 19/22] Update entrypoint.sh --- entrypoint.sh | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index af3d4eb..1083fe2 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -7,16 +7,6 @@ if [ -z "$AWS_S3_BUCKET" ]; then exit 1 fi -# if [ -z "$AWS_ACCESS_KEY_ID" ]; then -# echo "AWS_ACCESS_KEY_ID is not set. Quitting." -# exit 1 -# fi - -# if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then -# echo "AWS_SECRET_ACCESS_KEY is not set. Quitting." -# exit 1 -# fi - # Default to us-east-1 if AWS_REGION not set. if [ -z "$AWS_REGION" ]; then AWS_REGION="us-east-1" @@ -27,13 +17,6 @@ if [ -n "$AWS_S3_ENDPOINT" ]; then ENDPOINT_APPEND="--endpoint-url $AWS_S3_ENDPOINT" fi -# aws configure --profile s3-sync-action <<-EOF > /dev/null 2>&1 -# ${AWS_ACCESS_KEY_ID} -# ${AWS_SECRET_ACCESS_KEY} -# ${AWS_REGION} -# text -# EOF - # Sync using our dedicated profile and suppress verbose messages. # All other flags are optional via the `args:` directive. sh -c "aws s3 sync ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \ From d33e9ec6d85f4b0582a3dd3336ac440ce4158fd8 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 12 Jan 2021 16:17:28 +1030 Subject: [PATCH 20/22] Update README.md --- README.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index ca6eba6..3c5c2c2 100644 --- a/README.md +++ b/README.md @@ -31,15 +31,21 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@master - - uses: jakejarvis/s3-sync-action@master + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + role-to-assume: ${{ secrets.AWS_ASSUMED_ROLE }} + + - uses: brajm008/s3-sync-action@master with: args: --acl public-read --follow-symlinks --delete env: AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_REGION: 'us-west-1' # optional: defaults to us-east-1 - AWS_ASSUMED_ROLE: ${{ secrets.AWS_ASSUMED_ROLE }} # optional: defaults to not assumed role + AWS_REGION: ${{ secrets.AWS_REGION }} # optional: defaults to us-east-1 SOURCE_DIR: 'public' # optional: defaults to entire repository ``` @@ -50,11 +56,9 @@ The following settings must be passed as environment variables as shown in the e | Key | Value | Suggested Type | Required | Default | | ------------- | ------------- | ------------- | ------------- | ------------- | -| `AWS_ACCESS_KEY_ID` | Your AWS Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret env` | **Yes** | N/A | -| `AWS_SECRET_ACCESS_KEY` | Your AWS Secret Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret env` | **Yes** | N/A | +N/A | | `AWS_S3_BUCKET` | The name of the bucket you're syncing to. For example, `jarv.is` or `my-app-releases`. | `secret env` | **Yes** | N/A | | `AWS_REGION` | The region where you created your bucket. Set to `us-east-1` by default. [Full list of regions here.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) | `env` | No | `us-east-1` | -| `AWS_ASSUMED_ROLE` | The ARN of a role being assumed to deploy to S3 Bucket | `secret env` | No | N/A | | `AWS_S3_ENDPOINT` | The endpoint URL of the bucket you're syncing to. Can be used for [VPC scenarios](https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/) or for non-AWS services using the S3 API, like [DigitalOcean Spaces](https://www.digitalocean.com/community/tools/adapting-an-existing-aws-s3-application-to-digitalocean-spaces). | `env` | No | Automatic (`s3.amazonaws.com` or AWS's region-specific equivalent) | | `SOURCE_DIR` | The local directory (or file) you wish to sync/upload to S3. For example, `public`. Defaults to your entire repository. | `env` | No | `./` (root of cloned repository) | | `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. For example, `my_project/assets`. Defaults to the root of the bucket. | `env` | No | `/` (root of bucket) | From d8a6f86e7c839a200a6eef371e078ea1c15cc842 Mon Sep 17 00:00:00 2001 From: Justin Date: Thu, 14 Jan 2021 11:24:22 +1030 Subject: [PATCH 21/22] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3c5c2c2..b5f4ccb 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ jobs: aws-region: ${{ secrets.AWS_REGION }} role-to-assume: ${{ secrets.AWS_ASSUMED_ROLE }} - - uses: brajm008/s3-sync-action@master + - uses: jakejarvis/s3-sync-action@master with: args: --acl public-read --follow-symlinks --delete env: From 3aec7d05c3e2a61ccf1f04951e4bdfc88315479c Mon Sep 17 00:00:00 2001 From: Justin Date: Thu, 14 Jan 2021 11:28:29 +1030 Subject: [PATCH 22/22] Update README.md --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 3c5c2c2..528b751 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,6 @@ The following settings must be passed as environment variables as shown in the e | Key | Value | Suggested Type | Required | Default | | ------------- | ------------- | ------------- | ------------- | ------------- | -N/A | | `AWS_S3_BUCKET` | The name of the bucket you're syncing to. For example, `jarv.is` or `my-app-releases`. | `secret env` | **Yes** | N/A | | `AWS_REGION` | The region where you created your bucket. Set to `us-east-1` by default. [Full list of regions here.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) | `env` | No | `us-east-1` | | `AWS_S3_ENDPOINT` | The endpoint URL of the bucket you're syncing to. Can be used for [VPC scenarios](https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/) or for non-AWS services using the S3 API, like [DigitalOcean Spaces](https://www.digitalocean.com/community/tools/adapting-an-existing-aws-s3-application-to-digitalocean-spaces). | `env` | No | Automatic (`s3.amazonaws.com` or AWS's region-specific equivalent) |