Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to log out? #57

Closed
ofx-cezar-gradinariu opened this issue Apr 24, 2020 · 5 comments · Fixed by #71
Closed

Ability to log out? #57

ofx-cezar-gradinariu opened this issue Apr 24, 2020 · 5 comments · Fixed by #71
Labels
feature-request A feature should be added or improved.

Comments

@ofx-cezar-gradinariu
Copy link

I have a scenario where I would like to have the capability to re-run the "configure-aws-credentials" action again using the same account but different roles inside the same job.

Is there a way to log out/reset/forget the credentials of the first run? My current option is to revert to bash and that is pretty verbose.

Thank you
@allisaurus allisaurus added the feature-request A feature should be added or improved. label May 21, 2020
@clareliguori
Copy link
Member

Hi @ofx-cezar-gradinariu, you can re-run the action multiple times in your workflow file, and the action will overwrite the previous credentials each time.

jobs:
  deploy:
    name: Upload to Amazon S3
    runs-on: ubuntu-latest

    steps:
    - name: Checkout
      uses: actions/checkout@v2

    - name: Configure AWS credentials from Test account
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.TEST_AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1

    - name: Copy files to the test website with the AWS CLI
      run: |
        aws s3 sync . s3://my-s3-test-website-bucket

    - name: Configure AWS credentials from Production account
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
        aws-region: us-west-2

    - name: Copy files to the production website with the AWS CLI
      run: |
        aws s3 sync . s3://my-s3-prod-website-bucket

@ofx-cezar-gradinariu
Copy link
Author

Thank you @clareliguori . If you have them auth in different regions it probably works. But in my case, the region is the same.

@clareliguori clareliguori mentioned this issue May 25, 2020
Merged
@clareliguori
Copy link
Member

@ofx-cezar-gradinariu that's fine, it's the same idea that you run the action again with different credential secrets (TEST vs PROD in the example) Are you seeing that re-running the action with different credentials does not work?

    - name: Configure AWS credentials from Test account
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.TEST_AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1

    - name: Copy files to the test website with the AWS CLI
      run: |
        aws s3 sync . s3://my-s3-test-website-bucket

    - name: Configure AWS credentials from Production account
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1

    - name: Copy files to the production website with the AWS CLI
      run: |
        aws s3 sync . s3://my-s3-prod-website-bucket

@pioneer2k
Copy link

Hi @clareliguori,
as @ofx-cezar-gradinariu we are also assuming roles in different accounts in the same region. If we login again with the same user, but to a diffrent role in a different account, we get an error message like this:

##[error]User: arn:aws:sts::***:assumed-role/TerraformInfrastructureRole/InfrastructureSession is not authorized to perform: sts:TagSession on resource: ***

The role, that here is talked about, is the role from our first login. So it seems that the second login is using some information of the first login.

This is our example:

- name: Configure AWS credentials for AWS infrastructure account
  id: awscredentialsinfra
  uses: aws-actions/[email protected]
  with:
      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      aws-session-token: ''
      aws-region: eu-central-1
      role-to-assume: ${{ secrets.INFRASTRUCTURE_ROLE }}
      role-duration-seconds: 3600
      role-session-name: InfrastructureSession

- name: Configure AWS credentials for AWS DEV and QA account
  uses: aws-actions/[email protected]
  with:
      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      aws-session-token: ''
      aws-region: eu-central-1
      role-to-assume: ${{ secrets.DEV_AND_TEST_ROLE }}
      role-duration-seconds: 3600
      role-session-name: DEVAndQASession

@clareliguori
Copy link
Member

Ah thank you for the example @pioneer2k ! I'll work on repro'ing this

This was referenced May 29, 2020
Merged
Merged
@mergify mergify bot closed this as completed in #71 Jun 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
4 participants
@clareliguori @pioneer2k @allisaurus @ofx-cezar-gradinariu