Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add support for assuming a role #17

Merged
merged 17 commits into from
Jan 22, 2020

Conversation

mattsb42-aws
Copy link
Member

@mattsb42-aws mattsb42-aws commented Jan 7, 2020

Description of changes:

As a security-conscious developer, long-lived credentials make me nervous, especially when I do not have a mechanism for an automated actor to change or delete them. Ideally, I would like to constantly refresh the GitHub Secrets that hold my AWS credentials with constantly rotating, short-lived, IAM Role credentials. Unfortunately, until GitHub adds an API for Secrets I cannot do that.

As a halfway measure, I would like to be able to set long-lived credentials in my GitHub Secrets that only have the permissions to assume short-lived credentials with wider permissions. The purpose of this PR is to enable this use-case.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

index.js Outdated Show resolved Hide resolved
index.js Outdated Show resolved Hide resolved
@mattsb42-aws
Copy link
Member Author

Something's wrong, I assume with the mock, but I'm not sure what.. digging more, but putting this up in case this is obvious to others.

@mattsb42-aws mattsb42-aws changed the title add support for assuming a role feat: add support for assuming a role Jan 14, 2020
@mattsb42-aws mattsb42-aws marked this pull request as ready for review January 14, 2020 00:11
@seebees
Copy link

seebees commented Jan 21, 2020

This LGTM.
I prefer smaller files, but that is just personal preference.

action.yml Outdated
@@ -19,6 +19,12 @@ inputs:
mask-aws-account-id:
description: "Whether to set the AWS account ID for these credentials as a secret value, so that it is masked in logs. Valid values are 'true' and 'false'. Defaults to true"
required: false
role-to-assume:
description: "Use the provided credentials to assume a role rather than persisting the credentials directly"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean by persisting the credentials directly? I associate that with persisting to disk. Do you mean something like using the credentials for API calls directly?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I meant by "persisting" was "passing the values along to later steps via outputs".

Maybe
Use the provided credentials to assume a Role and output the assumed credentials for that Role rather than the provided credentials. ?

index.js Outdated
}
catch (error) {
core.setFailed(error.message);

const suppressStackTrace = process.env.DO_NOT_SUPPRESS_STACK_TRACE;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: the variable name seems opposite to the env variable name: doNotSuppressStackTrace?

@clareliguori clareliguori merged commit 25960ab into aws-actions:master Jan 22, 2020
@clareliguori
Copy link
Member

Thanks for the contribution! FYI I'm working on some automation for cutting the releases of this action; until then uses: aws-actions/configure-aws-credentials@master can be used to take advantage of this new input.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants