Skip to content
lock

GitHub Action

Authenticate to Alibaba Cloud

v1.3.0 Latest version

Authenticate to Alibaba Cloud

lock

Authenticate to Alibaba Cloud

Authenticate to Alibaba Cloud with GitHub Actions OIDC tokens

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: Authenticate to Alibaba Cloud

              
  uses: mozillazg/alibabacloud-oidc-auth@v1.3.0
Learn more about this action in mozillazg/alibabacloud-oidc-auth

Choose a version

alibabacloud-oidc-auth

GitHub Action for authenticating to Alibaba Cloud with GitHub Actions OIDC tokens.

Contents

Example Usage

jobs:
  job-id:
    # ...
    permissions:
      id-token: write # This is required for requesting the JWT
    steps:
      - name: get credentials
        id: get-credentials
        uses: 'mozillazg/alibabacloud-oidc-auth@v1'
        with:
          role-arn-to-assume: '${{ secrets.ALIBABA_CLOUD_RAM_ROLE_ARN }}'
          oidc-provider-arn: '${{ secrets.ALIBABA_CLOUD_RAM_OIDC_ARN }}'
          export-environment-variables: 'true'
      - run: |
          aliyun sts GetCallerIdentity

Or

jobs:
  job-id:
    # ...
    permissions:
      id-token: write # This is required for requesting the JWT
    steps:
      - name: get credentials
        id: get-credentials
        uses: 'mozillazg/alibabacloud-oidc-auth@v1'
        with:
          role-arn-to-assume: '${{ secrets.ALIBABA_CLOUD_RAM_ROLE_ARN }}'
          oidc-provider-arn: '${{ secrets.ALIBABA_CLOUD_RAM_OIDC_ARN }}'
          set-outputs: 'true'
      - run: |
          ossutil64 --access-key-id ${{ steps.get-credentials.outputs.access-key-id }} \
            --access-key-secret ${{ steps.get-credentials.outputs.access-key-secret }} \
            --sts-token ${{ steps.get-credentials.outputs.security-token }} --mode StsToken \
            --endpoint oss-ap-southeast-1.aliyuncs.com \
            stat oss://test-bucket

Inputs

  • role-arn-to-assume: (Required) The arn of RAM role.

  • oidc-provider-arn: (Required) The arn of OIDC IdP.

  • export-environment-variables: (Optional) Export common environment variables, including:

    • ALIBABA_CLOUD_ACCESS_KEY_ID
    • ALICLOUD_ACCESS_KEY
    • ALIBABACLOUD_ACCESS_KEY_ID
    • ALICLOUD_ACCESS_KEY_ID
    • ALIBABA_CLOUD_ACCESS_KEY_SECRET
    • ALICLOUD_SECRET_KEY
    • ALIBABACLOUD_ACCESS_KEY_SECRET
    • ALICLOUD_ACCESS_KEY_SECRET
    • ALIBABA_CLOUD_SECURITY_TOKEN
    • ALICLOUD_ACCESS_KEY_STS_TOKEN
    • ALIBABACLOUD_SECURITY_TOKEN
    • ALICLOUD_SECURITY_TOKEN

    The default value is: false

  • set-outputs: (Optional) Setting action outputs. The default value is: false

  • audience: (Optional) The audience (aud) parameter in GitHub's generated OIDC token. The default value is: actions.github.com

  • role-duration-seconds: (Optional) The validity period of the STS token. The default value is: 3600

  • role-session-name: (Optional) The custom name of the role session. The default value is: github-actions-<orgName>-<repoName>

  • region: (Optional) The region id of STS endpoint. The default value is: ap-southeast-1

Outputs

Only available when set-outputs is true.

  • access-key-id: (Optional) The Alibaba Cloud Access Key ID.
  • access-key-secret: (Optional) The Alibaba Cloud Access Key Secret.
  • security-token: (Optional) The Alibaba Cloud STS Token.

RAM Configuration

  1. Configure an OIDC IdP for the auth method:
    • IdP URL: https://token.actions.githubusercontent.com
    • Client ID: actions.github.com
  2. Configure a RAM role for an OIDC IdP to assume:
    • oidc:aud: actions.github.com
    • oidc:sub: match on GitHub subject claims.
      • match branch: repo:<orgName/repoName>:ref:refs/heads/<branchName>
      • match tag: repo:<orgName/repoName>:ref:refs/tags/<tagName>