aws-actions · clareliguori · Jan 22, 2020 · Jan 7, 2020 · Jan 7, 2020 · Jan 7, 2020
diff --git a/index.js b/index.js
@@ -1,5 +1,51 @@
 const core = require('@actions/core');
 const aws = require('aws-sdk');
+const assert = require('assert');
+
+// The max time that a GitHub action is allowed to run is 6 hours.
+// That seems like a reasonable default to use if no role duration is defined.
+const MAX_ACTION_RUNTIME = 6 * 3600;
+
+async function assumeRole(params) {
+  // Assume a role to get short-lived credentials using longer-lived credentials.
+  const isDefined = i => !!i;
+
+  const {roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, sessionToken, region} = params;
+  assert(
+      [roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, region].every(isDefined),
+      "Missing required input."
+  );
+
+  const {GITHUB_REPOSITORY, GITHUB_WORKFLOW, GITHUB_ACTION, GITHUB_ACTOR, GITHUB_REF, GITHUB_SHA} = process.env;
+  assert(
+      [GITHUB_REPOSITORY, GITHUB_WORKFLOW, GITHUB_ACTION, GITHUB_ACTOR, GITHUB_REF, GITHUB_SHA].every(isDefined),
+      'Missing required environment value. Are you running in GitHub Actions?'
+  );
+
+  const sts = new aws.STS({accessKeyId, secretAccessKey, sessionToken, region});
+  return sts.assumeRole({
+    RoleArn: roleToAssume,
+    RoleSessionName: 'GitHubActions',
+    DurationSeconds: roleDurationSeconds,
+    Tags: [
+      {Key: 'GitHub', Value: 'Actions'},
+      {Key: 'Repository', Value: GITHUB_REPOSITORY},
+      {Key: 'Workflow', Value: GITHUB_WORKFLOW},
+      {Key: 'Action', Value: GITHUB_ACTION},
+      {Key: 'Actor', Value: GITHUB_ACTOR},
+      {Key: 'Branch', Value: GITHUB_REF},
+      {Key: 'Commit', Value: GITHUB_SHA},
+    ]
+  })
+  .promise()
+  .then(function (data) {
+    return {
+      accessKeyId: data.Credentials.AccessKeyId,
+      secretAccessKey: data.Credentials.SecretAccessKey,
+      sessionToken: data.Credentials.SessionToken,
+    };
+  });
+}
 
 async function run() {
   try {
@@ -9,6 +55,15 @@ async function run() {
     const region = core.getInput('aws-region', { required: true });
     const sessionToken = core.getInput('aws-session-token', { required: false });
     const maskAccountId = core.getInput('mask-aws-account-id', { required: false });
+    const roleToAssume = core.getInput('role-to-assume', {required: false});
+    const roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || MAX_ACTION_RUNTIME;
+
+    // Get role credentials if configured to do so
+    if (roleToAssume) {
+      const {accessKeyId, secretAccessKey, sessionToken} = await assumeRole(
+          {accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds}
+      );
+    }
 
     // Configure the AWS CLI and AWS SDKs using environment variables