From 6a5c7d157fd50cfb29af4f4cdfd6e6d23cd3d72e Mon Sep 17 00:00:00 2001 From: Mike Nesta Date: Fri, 23 Jul 2021 15:12:56 -0400 Subject: [PATCH 1/8] feat: Add the ability to use a web identity token file --- README.md | 11 +++++++++++ action.yml | 4 ++++ index.js | 33 ++++++++++++++++++++++----------- index.test.js | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 84 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 864f9c9c4..0ccae050c 100644 --- a/README.md +++ b/README.md @@ -189,6 +189,17 @@ with: ``` In this case, your runner's credentials must have permissions to assume the role. +You can also assume a role using a web identity token file if using [EKS IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html). Pods running in EKS worker nodes that do not run as root can use this file to assume a role with a web identity. + +You can configure your workflow as follows in order to use this file: +```yaml +uses: aws-actions/configure-aws-credentials@v1 +with: + aws-region: us-east-2 + role-to-assume: my-github-actions-role + web-identity-token-file: /var/run/secrets/eks.amazonaws.com/serviceaccount/token +``` + ### Use with the AWS CLI This workflow does _not_ install the [AWS CLI](https://aws.amazon.com/cli/) into your environment. Self-hosted runners that intend to run this action prior to executing `aws` commands need to have the AWS CLI [installed](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) if it's not already present. diff --git a/action.yml b/action.yml index fafa25b8a..eab21fe47 100644 --- a/action.yml +++ b/action.yml @@ -34,6 +34,10 @@ inputs: environment with the assumed role credentials rather than with the provided credentials required: false + web-identity-token-file: + description: >- + Read the web identity token file from the provided file system path in order to + assume an IAM role using a web identity on an EKS worker node role-duration-seconds: description: "Role duration in seconds (default: 6 hours)" required: false diff --git a/index.js b/index.js index 018aac3e9..39c236482 100644 --- a/index.js +++ b/index.js @@ -1,6 +1,7 @@ const core = require('@actions/core'); const aws = require('aws-sdk'); const assert = require('assert'); +const fs = require('fs').promises; // The max time that a GitHub action is allowed to run is 6 hours. // That seems like a reasonable default to use if no role duration is defined. @@ -22,7 +23,8 @@ async function assumeRole(params) { roleDurationSeconds, roleSessionName, region, - roleSkipSessionTagging + roleSkipSessionTagging, + webIdentityTokenFile } = params; assert( [sourceAccountId, roleToAssume, roleDurationSeconds, roleSessionName, region].every(isDefined), @@ -74,15 +76,22 @@ async function assumeRole(params) { assumeRoleRequest.ExternalId = roleExternalId; } - return sts.assumeRole(assumeRoleRequest) - .promise() - .then(function (data) { - return { - accessKeyId: data.Credentials.AccessKeyId, - secretAccessKey: data.Credentials.SecretAccessKey, - sessionToken: data.Credentials.SessionToken, - }; - }); + let assumeFunction = sts.assumeRole; + + if(isDefined(webIdentityTokenFile)) { + assumeRoleRequest.WebIdentityToken = await fs.readFile(webIdentityTokenFile, 'utf8'); + assumeFunction = sts.assumeRoleWithWebIdentity; + } + + return assumeFunction(assumeRoleRequest) + .promise() + .then(function (data) { + return { + accessKeyId: data.Credentials.AccessKeyId, + secretAccessKey: data.Credentials.SecretAccessKey, + sessionToken: data.Credentials.SessionToken, + }; + }); } function sanitizeGithubActor(actor) { @@ -211,6 +220,7 @@ async function run() { const roleSessionName = core.getInput('role-session-name', { required: false }) || ROLE_SESSION_NAME; const roleSkipSessionTaggingInput = core.getInput('role-skip-session-tagging', { required: false })|| 'false'; const roleSkipSessionTagging = roleSkipSessionTaggingInput.toLowerCase() === 'true'; + const webIdentityTokenFile = core.getInput('web-identity-token-file', { required: false }) if (!region.match(REGION_REGEX)) { throw new Error(`Region is not valid: ${region}`); @@ -249,7 +259,8 @@ async function run() { roleExternalId, roleDurationSeconds, roleSessionName, - roleSkipSessionTagging + roleSkipSessionTagging, + webIdentityTokenFile }); exportCredentials(roleCredentials); await validateCredentials(roleCredentials.accessKeyId); diff --git a/index.test.js b/index.test.js index f2295c991..504e4c8d9 100644 --- a/index.test.js +++ b/index.test.js @@ -46,6 +46,7 @@ const ASSUME_ROLE_INPUTS = {...CREDS_INPUTS, 'role-to-assume': ROLE_ARN, 'aws-re const mockStsCallerIdentity = jest.fn(); const mockStsAssumeRole = jest.fn(); +const mockStsAssumeRoleWithWebIdentity = jest.fn(); jest.mock('aws-sdk', () => { return { @@ -55,10 +56,19 @@ jest.mock('aws-sdk', () => { STS: jest.fn(() => ({ getCallerIdentity: mockStsCallerIdentity, assumeRole: mockStsAssumeRole, + assumeRoleWithWebIdentity: mockStsAssumeRoleWithWebIdentity })) }; }); +jest.mock('fs', () => { + return { + promises: { + readFile: jest.fn(() => Promise.resolve('testpayload')) + } + }; +}); + describe('Configure AWS Credentials', () => { const OLD_ENV = process.env; @@ -119,6 +129,20 @@ describe('Configure AWS Credentials', () => { } } }); + + mockStsAssumeRoleWithWebIdentity.mockImplementation(() => { + return { + promise() { + return Promise.resolve({ + Credentials: { + AccessKeyId: FAKE_STS_ACCESS_KEY_ID, + SecretAccessKey: FAKE_STS_SECRET_ACCESS_KEY, + SessionToken: FAKE_STS_SESSION_TOKEN + } + }); + } + } + }); }); afterEach(() => { @@ -507,6 +531,29 @@ describe('Configure AWS Credentials', () => { }) }); + test('web identity token file provided', async () => { + core.getInput = jest + .fn() + .mockImplementation(mockGetInput({'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION, 'web-identity-token-file': '/fake/token/file'})); + + await run(); + expect(mockStsAssumeRoleWithWebIdentity).toHaveBeenCalledWith({ + RoleArn: 'arn:aws:iam::111111111111:role/MY-ROLE', + RoleSessionName: 'GitHubActions', + DurationSeconds: 6 * 3600, + WebIdentityToken: 'testpayload', + Tags: [ + {Key: 'GitHub', Value: 'Actions'}, + {Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY}, + {Key: 'Workflow', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_WORKFLOW}, + {Key: 'Action', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_ACTION}, + {Key: 'Actor', Value: GITHUB_ACTOR_SANITIZED}, + {Key: 'Commit', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_SHA}, + {Key: 'Branch', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REF}, + ] + }) + }); + test('role external ID provided', async () => { core.getInput = jest .fn() From 1903d13aee70ba98e76a3f756ef4e67bddca4446 Mon Sep 17 00:00:00 2001 From: Mike Nesta Date: Tue, 27 Jul 2021 08:51:11 -0400 Subject: [PATCH 2/8] mark web identity token file as not required --- action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/action.yml b/action.yml index eab21fe47..73fa253ca 100644 --- a/action.yml +++ b/action.yml @@ -38,6 +38,7 @@ inputs: description: >- Read the web identity token file from the provided file system path in order to assume an IAM role using a web identity on an EKS worker node + required: false role-duration-seconds: description: "Role duration in seconds (default: 6 hours)" required: false From 95a5be9e77d16ba76491015c7a638c0b909739d1 Mon Sep 17 00:00:00 2001 From: Mike Nesta Date: Tue, 27 Jul 2021 09:50:29 -0400 Subject: [PATCH 3/8] fix indentation --- action.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/action.yml b/action.yml index 73fa253ca..6b1c0969e 100644 --- a/action.yml +++ b/action.yml @@ -35,10 +35,10 @@ inputs: credentials required: false web-identity-token-file: - description: >- - Read the web identity token file from the provided file system path in order to - assume an IAM role using a web identity on an EKS worker node - required: false + description: >- + Read the web identity token file from the provided file system path in order to + assume an IAM role using a web identity on an EKS worker node + required: false role-duration-seconds: description: "Role duration in seconds (default: 6 hours)" required: false From c1369727e1d568b01cf4a82fd7738c6f709231fe Mon Sep 17 00:00:00 2001 From: Mike Nesta Date: Thu, 29 Jul 2021 13:52:16 -0400 Subject: [PATCH 4/8] better docs and added support for relative vs absolute paths --- README.md | 8 +++++--- action.yml | 4 ++-- index.js | 11 ++++++++++- index.test.js | 29 +++++++++++++++++++++++++++-- 4 files changed, 44 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 0ccae050c..f5c519b14 100644 --- a/README.md +++ b/README.md @@ -6,12 +6,14 @@ Configure AWS credential and region environment variables for use in other GitHu +- ["Configure AWS Credentials" Action For GitHub Actions](#configure-aws-credentials-action-for-github-actions) - [Usage](#usage) - [Credentials](#credentials) - [Assuming a Role](#assuming-a-role) - + [Permissions for assuming a role](#permissions-for-assuming-a-role) - + [Session tagging](#session-tagging) + - [Permissions for assuming a role](#permissions-for-assuming-a-role) + - [Session tagging](#session-tagging) - [Self-Hosted Runners](#self-hosted-runners) + - [Use with the AWS CLI](#use-with-the-aws-cli) - [License Summary](#license-summary) - [Security Disclosures](#security-disclosures) @@ -189,7 +191,7 @@ with: ``` In this case, your runner's credentials must have permissions to assume the role. -You can also assume a role using a web identity token file if using [EKS IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html). Pods running in EKS worker nodes that do not run as root can use this file to assume a role with a web identity. +You can also assume a role using a web identity token file, such as if using [Amazon EKS IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html). Pods running in EKS worker nodes that do not run as root can use this file to assume a role with a web identity. You can configure your workflow as follows in order to use this file: ```yaml diff --git a/action.yml b/action.yml index 6b1c0969e..4e41aeb5e 100644 --- a/action.yml +++ b/action.yml @@ -36,8 +36,8 @@ inputs: required: false web-identity-token-file: description: >- - Read the web identity token file from the provided file system path in order to - assume an IAM role using a web identity on an EKS worker node + Use the web identity token file from the provided file system path in order to + assume an IAM role using a web identity. E.g., from within an Amazon EKS worker node required: false role-duration-seconds: description: "Role duration in seconds (default: 6 hours)" diff --git a/index.js b/index.js index 39c236482..e482fc22b 100644 --- a/index.js +++ b/index.js @@ -2,6 +2,7 @@ const core = require('@actions/core'); const aws = require('aws-sdk'); const assert = require('assert'); const fs = require('fs').promises; +const path = require('path'); // The max time that a GitHub action is allowed to run is 6 hours. // That seems like a reasonable default to use if no role duration is defined. @@ -79,7 +80,15 @@ async function assumeRole(params) { let assumeFunction = sts.assumeRole; if(isDefined(webIdentityTokenFile)) { - assumeRoleRequest.WebIdentityToken = await fs.readFile(webIdentityTokenFile, 'utf8'); + const webIdentityTokenFilePath = path.isAbsolute(webIdentityTokenFile) ? + webIdentityTokenFile : + path.join(process.env.GITHUB_WORKSPACE, webIdentityTokenFile); + + if (!await fs.exists(webIdentityTokenFilePath)) { + throw new Error(`Web identity token file does not exist: ${webIdentityTokenFilePath}`); + } + + assumeRoleRequest.WebIdentityToken = await fs.readFile(webIdentityTokenFilePath, 'utf8'); assumeFunction = sts.assumeRoleWithWebIdentity; } diff --git a/index.test.js b/index.test.js index 504e4c8d9..1e2aa7f61 100644 --- a/index.test.js +++ b/index.test.js @@ -24,6 +24,7 @@ const ENVIRONMENT_VARIABLE_OVERRIDES = { GITHUB_ACTOR: 'MY-USERNAME[bot]', GITHUB_SHA: 'MY-COMMIT-ID', GITHUB_REF: 'MY-BRANCH', + GITHUB_WORKSPACE: '/home/github' }; const GITHUB_ACTOR_SANITIZED = 'MY-USERNAME_bot_' @@ -64,7 +65,8 @@ jest.mock('aws-sdk', () => { jest.mock('fs', () => { return { promises: { - readFile: jest.fn(() => Promise.resolve('testpayload')) + readFile: jest.fn(() => Promise.resolve('testpayload')), + exists: jest.fn(() => Promise.resolve(true)) } }; }); @@ -531,7 +533,7 @@ describe('Configure AWS Credentials', () => { }) }); - test('web identity token file provided', async () => { + test('web identity token file provided with absolute path', async () => { core.getInput = jest .fn() .mockImplementation(mockGetInput({'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION, 'web-identity-token-file': '/fake/token/file'})); @@ -554,6 +556,29 @@ describe('Configure AWS Credentials', () => { }) }); + test('web identity token file provided with relative path', async () => { + core.getInput = jest + .fn() + .mockImplementation(mockGetInput({'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION, 'web-identity-token-file': 'fake/token/file'})); + + await run(); + expect(mockStsAssumeRoleWithWebIdentity).toHaveBeenCalledWith({ + RoleArn: 'arn:aws:iam::111111111111:role/MY-ROLE', + RoleSessionName: 'GitHubActions', + DurationSeconds: 6 * 3600, + WebIdentityToken: 'testpayload', + Tags: [ + {Key: 'GitHub', Value: 'Actions'}, + {Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY}, + {Key: 'Workflow', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_WORKFLOW}, + {Key: 'Action', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_ACTION}, + {Key: 'Actor', Value: GITHUB_ACTOR_SANITIZED}, + {Key: 'Commit', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_SHA}, + {Key: 'Branch', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REF}, + ] + }) + }); + test('role external ID provided', async () => { core.getInput = jest .fn() From 71d67fe748056f71dc457e183d57575695b1b219 Mon Sep 17 00:00:00 2001 From: Mike Nesta Date: Thu, 29 Jul 2021 15:14:40 -0400 Subject: [PATCH 5/8] bind sts context and adjust fs calls --- index.js | 10 +++++----- index.test.js | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/index.js b/index.js index e482fc22b..b822b0eb8 100644 --- a/index.js +++ b/index.js @@ -1,7 +1,7 @@ const core = require('@actions/core'); const aws = require('aws-sdk'); const assert = require('assert'); -const fs = require('fs').promises; +const fs = require('fs'); const path = require('path'); // The max time that a GitHub action is allowed to run is 6 hours. @@ -77,19 +77,19 @@ async function assumeRole(params) { assumeRoleRequest.ExternalId = roleExternalId; } - let assumeFunction = sts.assumeRole; + let assumeFunction = sts.assumeRole.bind(sts); if(isDefined(webIdentityTokenFile)) { const webIdentityTokenFilePath = path.isAbsolute(webIdentityTokenFile) ? webIdentityTokenFile : path.join(process.env.GITHUB_WORKSPACE, webIdentityTokenFile); - if (!await fs.exists(webIdentityTokenFilePath)) { + if (!fs.existsSync(webIdentityTokenFilePath)) { throw new Error(`Web identity token file does not exist: ${webIdentityTokenFilePath}`); } - assumeRoleRequest.WebIdentityToken = await fs.readFile(webIdentityTokenFilePath, 'utf8'); - assumeFunction = sts.assumeRoleWithWebIdentity; + assumeRoleRequest.WebIdentityToken = await fs.promises.readFile(webIdentityTokenFilePath, 'utf8'); + assumeFunction = sts.assumeRoleWithWebIdentity.bind(sts); } return assumeFunction(assumeRoleRequest) diff --git a/index.test.js b/index.test.js index 1e2aa7f61..af5152e67 100644 --- a/index.test.js +++ b/index.test.js @@ -66,8 +66,8 @@ jest.mock('fs', () => { return { promises: { readFile: jest.fn(() => Promise.resolve('testpayload')), - exists: jest.fn(() => Promise.resolve(true)) - } + }, + existsSync: jest.fn(() => true) }; }); From ef81c9d399bc594e7d8b33eaaa31630addf0bfdf Mon Sep 17 00:00:00 2001 From: Mike Nesta Date: Thu, 29 Jul 2021 15:46:48 -0400 Subject: [PATCH 6/8] exclude tags if using web identity token file --- index.js | 17 +++++++++-------- index.test.js | 22 ++-------------------- 2 files changed, 11 insertions(+), 28 deletions(-) diff --git a/index.js b/index.js index b822b0eb8..d644ad33d 100644 --- a/index.js +++ b/index.js @@ -45,6 +45,13 @@ async function assumeRole(params) { // Supports only 'aws' partition. Customers in other partitions ('aws-cn') will need to provide full ARN roleArn = `arn:aws:iam::${sourceAccountId}:role/${roleArn}`; } + + const assumeRoleRequest = { + RoleArn: roleArn, + RoleSessionName: roleSessionName, + DurationSeconds: roleDurationSeconds + }; + const tagArray = [ {Key: 'GitHub', Value: 'Actions'}, {Key: 'Repository', Value: GITHUB_REPOSITORY}, @@ -58,21 +65,15 @@ async function assumeRole(params) { tagArray.push({Key: 'Branch', Value: process.env.GITHUB_REF}); } - const roleSessionTags = roleSkipSessionTagging ? undefined : tagArray; + const roleSessionTags = roleSkipSessionTagging || isDefined(webIdentityTokenFile) ? undefined : tagArray; if(roleSessionTags == undefined){ core.debug("Role session tagging has been skipped.") } else { core.debug(roleSessionTags.length + " role session tags are being used.") + assumeRoleRequest.Tags = roleSessionTags; } - const assumeRoleRequest = { - RoleArn: roleArn, - RoleSessionName: roleSessionName, - DurationSeconds: roleDurationSeconds, - Tags: roleSessionTags - }; - if (roleExternalId) { assumeRoleRequest.ExternalId = roleExternalId; } diff --git a/index.test.js b/index.test.js index af5152e67..af9d4a61b 100644 --- a/index.test.js +++ b/index.test.js @@ -543,16 +543,7 @@ describe('Configure AWS Credentials', () => { RoleArn: 'arn:aws:iam::111111111111:role/MY-ROLE', RoleSessionName: 'GitHubActions', DurationSeconds: 6 * 3600, - WebIdentityToken: 'testpayload', - Tags: [ - {Key: 'GitHub', Value: 'Actions'}, - {Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY}, - {Key: 'Workflow', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_WORKFLOW}, - {Key: 'Action', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_ACTION}, - {Key: 'Actor', Value: GITHUB_ACTOR_SANITIZED}, - {Key: 'Commit', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_SHA}, - {Key: 'Branch', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REF}, - ] + WebIdentityToken: 'testpayload' }) }); @@ -566,16 +557,7 @@ describe('Configure AWS Credentials', () => { RoleArn: 'arn:aws:iam::111111111111:role/MY-ROLE', RoleSessionName: 'GitHubActions', DurationSeconds: 6 * 3600, - WebIdentityToken: 'testpayload', - Tags: [ - {Key: 'GitHub', Value: 'Actions'}, - {Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY}, - {Key: 'Workflow', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_WORKFLOW}, - {Key: 'Action', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_ACTION}, - {Key: 'Actor', Value: GITHUB_ACTOR_SANITIZED}, - {Key: 'Commit', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_SHA}, - {Key: 'Branch', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REF}, - ] + WebIdentityToken: 'testpayload' }) }); From 36a6ef4efb720cb10a1829d1ecbd01840cdc5f35 Mon Sep 17 00:00:00 2001 From: Mike Nesta Date: Mon, 2 Aug 2021 09:44:39 -0400 Subject: [PATCH 7/8] fix readme aand adjust tag removal logic --- README.md | 6 ++---- index.js | 28 ++++++++++++++++++---------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index f5c519b14..1b5b108b0 100644 --- a/README.md +++ b/README.md @@ -6,14 +6,12 @@ Configure AWS credential and region environment variables for use in other GitHu -- ["Configure AWS Credentials" Action For GitHub Actions](#configure-aws-credentials-action-for-github-actions) - [Usage](#usage) - [Credentials](#credentials) - [Assuming a Role](#assuming-a-role) - - [Permissions for assuming a role](#permissions-for-assuming-a-role) - - [Session tagging](#session-tagging) + + [Permissions for assuming a role](#permissions-for-assuming-a-role) + + [Session tagging](#session-tagging) - [Self-Hosted Runners](#self-hosted-runners) - - [Use with the AWS CLI](#use-with-the-aws-cli) - [License Summary](#license-summary) - [Security Disclosures](#security-disclosures) diff --git a/index.js b/index.js index d644ad33d..5f60e1267 100644 --- a/index.js +++ b/index.js @@ -46,12 +46,6 @@ async function assumeRole(params) { roleArn = `arn:aws:iam::${sourceAccountId}:role/${roleArn}`; } - const assumeRoleRequest = { - RoleArn: roleArn, - RoleSessionName: roleSessionName, - DurationSeconds: roleDurationSeconds - }; - const tagArray = [ {Key: 'GitHub', Value: 'Actions'}, {Key: 'Repository', Value: GITHUB_REPOSITORY}, @@ -65,13 +59,19 @@ async function assumeRole(params) { tagArray.push({Key: 'Branch', Value: process.env.GITHUB_REF}); } - const roleSessionTags = roleSkipSessionTagging || isDefined(webIdentityTokenFile) ? undefined : tagArray; + const roleSessionTags = roleSkipSessionTagging ? undefined : tagArray; + + const assumeRoleRequest = { + RoleArn: roleArn, + RoleSessionName: roleSessionName, + DurationSeconds: roleDurationSeconds, + Tags: roleSessionTags + }; if(roleSessionTags == undefined){ core.debug("Role session tagging has been skipped.") } else { core.debug(roleSessionTags.length + " role session tags are being used.") - assumeRoleRequest.Tags = roleSessionTags; } if (roleExternalId) { @@ -81,6 +81,9 @@ async function assumeRole(params) { let assumeFunction = sts.assumeRole.bind(sts); if(isDefined(webIdentityTokenFile)) { + core.debug("webIdentityTokenFile provided. Will call sts:AssumeRoleWithWebIdentity and take session tags from token contents.") + delete assumeRoleRequest.Tags; + const webIdentityTokenFilePath = path.isAbsolute(webIdentityTokenFile) ? webIdentityTokenFile : path.join(process.env.GITHUB_WORKSPACE, webIdentityTokenFile); @@ -89,8 +92,13 @@ async function assumeRole(params) { throw new Error(`Web identity token file does not exist: ${webIdentityTokenFilePath}`); } - assumeRoleRequest.WebIdentityToken = await fs.promises.readFile(webIdentityTokenFilePath, 'utf8'); - assumeFunction = sts.assumeRoleWithWebIdentity.bind(sts); + try { + assumeRoleRequest.WebIdentityToken = await fs.promises.readFile(webIdentityTokenFilePath, 'utf8'); + assumeFunction = sts.assumeRoleWithWebIdentity.bind(sts); + } catch(error) { + throw new Error(`Web identity token file could not be read: ${error.message}`); + } + } return assumeFunction(assumeRoleRequest) From 03684c20713891e6435d10ad84063f44b1861c49 Mon Sep 17 00:00:00 2001 From: Mike Nesta Date: Mon, 2 Aug 2021 09:46:31 -0400 Subject: [PATCH 8/8] undo re-ordering of lines --- index.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/index.js b/index.js index 5f60e1267..5b6262efa 100644 --- a/index.js +++ b/index.js @@ -61,6 +61,12 @@ async function assumeRole(params) { const roleSessionTags = roleSkipSessionTagging ? undefined : tagArray; + if(roleSessionTags == undefined){ + core.debug("Role session tagging has been skipped.") + } else { + core.debug(roleSessionTags.length + " role session tags are being used.") + } + const assumeRoleRequest = { RoleArn: roleArn, RoleSessionName: roleSessionName, @@ -68,12 +74,6 @@ async function assumeRole(params) { Tags: roleSessionTags }; - if(roleSessionTags == undefined){ - core.debug("Role session tagging has been skipped.") - } else { - core.debug(roleSessionTags.length + " role session tags are being used.") - } - if (roleExternalId) { assumeRoleRequest.ExternalId = roleExternalId; }