fix: mask both source and role credentials (#40)

Author: mergify[bot]

index.js

@@ -16,17 +16,15 @@ async function assumeRole(params) {
   const isDefined = i => !!i;
 
   const {
+    sourceAccountId,
     roleToAssume,
     roleExternalId,
     roleDurationSeconds,
     roleSessionName,
-    accessKeyId,
-    secretAccessKey,
-    sessionToken,
     region,
   } = params;
   assert(
-      [roleToAssume, roleDurationSeconds, roleSessionName, accessKeyId, secretAccessKey, region].every(isDefined),
+      [sourceAccountId, roleToAssume, roleDurationSeconds, roleSessionName, region].every(isDefined),
       "Missing required input when assuming a Role."
   );
 
@@ -36,18 +34,12 @@ async function assumeRole(params) {
       'Missing required environment value. Are you running in GitHub Actions?'
   );
 
-  const endpoint = util.format('https://sts.%s.amazonaws.com', region);
-
-  const sts = new aws.STS({
-    accessKeyId, secretAccessKey, sessionToken, region, endpoint, customUserAgent: USER_AGENT
-  });
+  const sts = getStsClient(region);
 
   let roleArn = roleToAssume;
   if (!roleArn.startsWith('arn:aws')) {
-    const identity = await sts.getCallerIdentity().promise();
-    const accountId = identity.Account;
     // Supports only 'aws' partition. Customers in other partitions ('aws-cn') will need to provide full ARN
-    roleArn = `arn:aws:iam::${accountId}:role/${roleArn}`;
+    roleArn = `arn:aws:iam::${sourceAccountId}:role/${roleArn}`;
   }
 
   const assumeRoleRequest = {
@@ -125,15 +117,25 @@ function exportRegion(region) {
   core.exportVariable('AWS_REGION', region);
 }
 
-async function exportAccountId(maskAccountId) {
+async function exportAccountId(maskAccountId, region) {
   // Get the AWS account ID
-  const sts = new aws.STS({customUserAgent: USER_AGENT});
+  const sts = getStsClient(region);
   const identity = await sts.getCallerIdentity().promise();
   const accountId = identity.Account;
   core.setOutput('aws-account-id', accountId);
   if (!maskAccountId || maskAccountId.toLowerCase() == 'true') {
     core.setSecret(accountId);
   }
+  return accountId;
+}
+
+function getStsClient(region) {
+  const endpoint = util.format('https://sts.%s.amazonaws.com', region);
+  return new aws.STS({
+    region,
+    endpoint,
+    customUserAgent: USER_AGENT
+  });
 }
 
 async function run() {
@@ -149,19 +151,28 @@ async function run() {
     const roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || MAX_ACTION_RUNTIME;
     const roleSessionName = core.getInput('role-session-name', { required: false }) || ROLE_SESSION_NAME;
 
+    // Always export the source credentials and account ID.
+    // The STS client for calling AssumeRole pulls creds from the environment.
+    // Plus, in the assume role case, if the AssumeRole call fails, we want
+    // the source credentials and accound ID to already be masked as secrets
+    // in any error messages.
+    exportRegion(region);
+    exportCredentials({accessKeyId, secretAccessKey, sessionToken});
+    const sourceAccountId = await exportAccountId(maskAccountId, region);
+
     // Get role credentials if configured to do so
     if (roleToAssume) {
-      const roleCredentials = await assumeRole(
-          {accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleExternalId, roleDurationSeconds, roleSessionName}
-      );
+      const roleCredentials = await assumeRole({
+        sourceAccountId,
+        region,
+        roleToAssume,
+        roleExternalId,
+        roleDurationSeconds,
+        roleSessionName
+      });
       exportCredentials(roleCredentials);
-    } else {
-      exportCredentials({accessKeyId, secretAccessKey, sessionToken});
+      await exportAccountId(maskAccountId, region);
     }
-
-    exportRegion(region);
-
-    await exportAccountId(maskAccountId);
   }
   catch (error) {
     core.setFailed(error.message);

index.test.js

@@ -13,8 +13,9 @@ const FAKE_STS_SECRET_ACCESS_KEY = 'STS-AWS-SECRET-ACCESS-KEY';
 const FAKE_STS_SESSION_TOKEN = 'STS-AWS-SESSION-TOKEN';
 const FAKE_REGION = 'fake-region-1';
 const FAKE_ACCOUNT_ID = '123456789012';
+const FAKE_ROLE_ACCOUNT_ID = '111111111111';
 const ROLE_NAME = 'MY-ROLE';
-const ROLE_ARN = 'arn:aws:iam::123456789012:role/MY-ROLE';
+const ROLE_ARN = 'arn:aws:iam::111111111111:role/MY-ROLE';
 const ENVIRONMENT_VARIABLE_OVERRIDES = {
     SHOW_STACK_TRACE: 'true',
     GITHUB_REPOSITORY: 'MY-REPOSITORY-NAME',
@@ -68,13 +69,18 @@ describe('Configure AWS Credentials', () => {
             .fn()
             .mockImplementation(mockGetInput(DEFAULT_INPUTS));
 
-        mockStsCallerIdentity.mockImplementation(() => {
-            return {
+        mockStsCallerIdentity.mockReset();
+        mockStsCallerIdentity
+            .mockReturnValueOnce({
                 promise() {
                    return Promise.resolve({ Account: FAKE_ACCOUNT_ID });
                 }
-            };
-        });
+            })
+            .mockReturnValueOnce({
+                promise() {
+                   return Promise.resolve({ Account: FAKE_ROLE_ACCOUNT_ID });
+                }
+            });
 
         mockStsAssumeRole.mockImplementation(() => {
             return {
@@ -154,6 +160,7 @@ describe('Configure AWS Credentials', () => {
     test('error is caught by core.setFailed and caught', async () => {
         process.env.SHOW_STACK_TRACE = 'false';
 
+        mockStsCallerIdentity.mockReset();
         mockStsCallerIdentity.mockImplementation(() => {
             throw new Error();
         });
@@ -165,6 +172,7 @@ describe('Configure AWS Credentials', () => {
 
     test('error is caught by core.setFailed and passed', async () => {
 
+        mockStsCallerIdentity.mockReset();
         mockStsCallerIdentity.mockImplementation(() => {
             throw new Error();
         });
@@ -181,18 +189,33 @@ describe('Configure AWS Credentials', () => {
 
         await run();
         expect(mockStsAssumeRole).toHaveBeenCalledTimes(1);
-        expect(core.exportVariable).toHaveBeenCalledTimes(5);
-        expect(core.setSecret).toHaveBeenCalledTimes(4);
-        expect(core.exportVariable).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', FAKE_STS_ACCESS_KEY_ID);
-        expect(core.setSecret).toHaveBeenCalledWith(FAKE_STS_ACCESS_KEY_ID);
-        expect(core.exportVariable).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', FAKE_STS_SECRET_ACCESS_KEY);
-        expect(core.setSecret).toHaveBeenCalledWith(FAKE_STS_SECRET_ACCESS_KEY);
-        expect(core.exportVariable).toHaveBeenCalledWith('AWS_SESSION_TOKEN', FAKE_STS_SESSION_TOKEN);
-        expect(core.setSecret).toHaveBeenCalledWith(FAKE_STS_SESSION_TOKEN);
-        expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', FAKE_REGION);
-        expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', FAKE_REGION);
-        expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', FAKE_ACCOUNT_ID);
-        expect(core.setSecret).toHaveBeenCalledWith(FAKE_ACCOUNT_ID);
+        expect(core.exportVariable).toHaveBeenCalledTimes(7);
+        expect(core.setSecret).toHaveBeenCalledTimes(7);
+        expect(core.setOutput).toHaveBeenCalledTimes(2);
+
+        // first the source credentials are exported and masked
+        expect(core.setSecret).toHaveBeenNthCalledWith(1, FAKE_ACCESS_KEY_ID);
+        expect(core.setSecret).toHaveBeenNthCalledWith(2, FAKE_SECRET_ACCESS_KEY);
+        expect(core.setSecret).toHaveBeenNthCalledWith(3, FAKE_ACCOUNT_ID);
+
+        expect(core.exportVariable).toHaveBeenNthCalledWith(1, 'AWS_DEFAULT_REGION', FAKE_REGION);
+        expect(core.exportVariable).toHaveBeenNthCalledWith(2, 'AWS_REGION', FAKE_REGION);
+        expect(core.exportVariable).toHaveBeenNthCalledWith(3, 'AWS_ACCESS_KEY_ID', FAKE_ACCESS_KEY_ID);
+        expect(core.exportVariable).toHaveBeenNthCalledWith(4, 'AWS_SECRET_ACCESS_KEY', FAKE_SECRET_ACCESS_KEY);
+
+        expect(core.setOutput).toHaveBeenNthCalledWith(1, 'aws-account-id', FAKE_ACCOUNT_ID);
+
+        // then the role credentials are exported and masked
+        expect(core.setSecret).toHaveBeenNthCalledWith(4, FAKE_STS_ACCESS_KEY_ID);
+        expect(core.setSecret).toHaveBeenNthCalledWith(5, FAKE_STS_SECRET_ACCESS_KEY);
+        expect(core.setSecret).toHaveBeenNthCalledWith(6, FAKE_STS_SESSION_TOKEN);
+        expect(core.setSecret).toHaveBeenNthCalledWith(7, FAKE_ROLE_ACCOUNT_ID);
+
+        expect(core.exportVariable).toHaveBeenNthCalledWith(5, 'AWS_ACCESS_KEY_ID', FAKE_STS_ACCESS_KEY_ID);
+        expect(core.exportVariable).toHaveBeenNthCalledWith(6, 'AWS_SECRET_ACCESS_KEY', FAKE_STS_SECRET_ACCESS_KEY);
+        expect(core.exportVariable).toHaveBeenNthCalledWith(7, 'AWS_SESSION_TOKEN', FAKE_STS_SESSION_TOKEN);
+
+        expect(core.setOutput).toHaveBeenNthCalledWith(2, 'aws-account-id', FAKE_ROLE_ACCOUNT_ID);
     });
 
     test('role assumption tags', async () => {
@@ -268,7 +291,7 @@ describe('Configure AWS Credentials', () => {
 
         await run();
         expect(mockStsAssumeRole).toHaveBeenCalledWith({
-            RoleArn: ROLE_ARN,
+            RoleArn: 'arn:aws:iam::123456789012:role/MY-ROLE',
             RoleSessionName: 'GitHubActions',
             DurationSeconds: 6 * 3600,
             Tags: [