From c7d4ab2a631bd8dfd81bd0f98e4dc12ce24f1683 Mon Sep 17 00:00:00 2001 From: Chuan-Yen Chiang Date: Fri, 28 Feb 2020 21:11:47 +0100 Subject: [PATCH 1/6] 1. Add 'role-session-name' variable to action.yml 2. Configure roleSessionName with role-session-name from action or default value (GitHubActions) --- action.yml | 3 +++ index.js | 12 +++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/action.yml b/action.yml index a3bf25ba3..53c136a38 100644 --- a/action.yml +++ b/action.yml @@ -25,6 +25,9 @@ inputs: role-duration-seconds: description: "Role duration in seconds (default: 6 hours)" required: false + role-session-name: + description: 'Role Session Name (default: GitHubActions)' + required: false outputs: aws-account-id: description: 'The AWS account ID for the provided credentials' diff --git a/index.js b/index.js index a6dd5e23a..d525bced7 100644 --- a/index.js +++ b/index.js @@ -8,15 +8,16 @@ const util = require('util'); const MAX_ACTION_RUNTIME = 6 * 3600; const USER_AGENT = 'configure-aws-credentials-for-github-actions'; const MAX_TAG_VALUE_LENGTH = 256; -const SANITIZATION_CHARACTER = '_' +const SANITIZATION_CHARACTER = '_'; +const ROLE_SESSION_NAME = 'GitHubActions'; async function assumeRole(params) { // Assume a role to get short-lived credentials using longer-lived credentials. const isDefined = i => !!i; - const {roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, sessionToken, region} = params; + const {roleToAssume, roleDurationSeconds, roleSessionName, accessKeyId, secretAccessKey, sessionToken, region} = params; assert( - [roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, region].every(isDefined), + [roleToAssume, roleDurationSeconds, roleSessionName, accessKeyId, secretAccessKey, region].every(isDefined), "Missing required input when assuming a Role." ); @@ -33,7 +34,7 @@ async function assumeRole(params) { }); return sts.assumeRole({ RoleArn: roleToAssume, - RoleSessionName: 'GitHubActions', + RoleSessionName: roleSessionName, DurationSeconds: roleDurationSeconds, Tags: [ {Key: 'GitHub', Value: 'Actions'}, @@ -121,11 +122,12 @@ async function run() { const maskAccountId = core.getInput('mask-aws-account-id', { required: false }); const roleToAssume = core.getInput('role-to-assume', {required: false}); const roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || MAX_ACTION_RUNTIME; + const roleSessionName = core.getInput('role-session-name', { required: false }) || ROLE_SESSION_NAME; // Get role credentials if configured to do so if (roleToAssume) { const roleCredentials = await assumeRole( - {accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds} + {accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds, roleSessionName} ); exportCredentials(roleCredentials); } else { From 95f0f39fa31f05bb512862300f386c23976b834a Mon Sep 17 00:00:00 2001 From: Chuan-Yen Chiang Date: Fri, 28 Feb 2020 21:31:30 +0100 Subject: [PATCH 2/6] Add description on README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index de70f3f54..196f2aedb 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,8 @@ We recommend following [Amazon IAM best practices](https://docs.aws.amazon.com/I ## Assuming a role If you would like to use the credentials you provide to this action to assume a role, you can do so by specifying the role ARN in `role-to-assume`. The role credentials will then be output instead of the ones you have provided. -The default session duration is 6 hours, but if you would like to adjust this you can pass a duration to `role-duration-seconds`. +The default session duration is 6 hours, but if you would like to adjust this you can pass a duration to `role-duration-seconds`. +The default session name is **GitHubActions**, and you can modify it by specifying the desired name in `role-session-name`. Example: ```yaml @@ -65,6 +66,7 @@ Example: aws-region: us-east-2 role-to-assume: arn:aws:iam::123456789100:role/role-to-assume role-duration-seconds: 1200 + role-session-name: MySessionName ``` ### Session tagging From 4df40c45e4623d757be8bd18eb1dab00be212e5e Mon Sep 17 00:00:00 2001 From: Chuan-Yen Chiang Date: Fri, 28 Feb 2020 21:32:28 +0100 Subject: [PATCH 3/6] update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 196f2aedb..7b0361a1d 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ We recommend following [Amazon IAM best practices](https://docs.aws.amazon.com/I If you would like to use the credentials you provide to this action to assume a role, you can do so by specifying the role ARN in `role-to-assume`. The role credentials will then be output instead of the ones you have provided. The default session duration is 6 hours, but if you would like to adjust this you can pass a duration to `role-duration-seconds`. -The default session name is **GitHubActions**, and you can modify it by specifying the desired name in `role-session-name`. +The default session name is GitHubActions, and you can modify it by specifying the desired name in `role-session-name`. Example: ```yaml From 1fe726ef48879c85f896cd14d9c804741f541ab7 Mon Sep 17 00:00:00 2001 From: Chuan-Yen Chiang Date: Fri, 28 Feb 2020 21:59:24 +0100 Subject: [PATCH 4/6] update dist/index.js --- dist/index.js | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/dist/index.js b/dist/index.js index 61be0ff03..5b3179395 100644 --- a/dist/index.js +++ b/dist/index.js @@ -135,15 +135,16 @@ const util = __webpack_require__(1669); const MAX_ACTION_RUNTIME = 6 * 3600; const USER_AGENT = 'configure-aws-credentials-for-github-actions'; const MAX_TAG_VALUE_LENGTH = 256; -const SANITIZATION_CHARACTER = '_' +const SANITIZATION_CHARACTER = '_'; +const ROLE_SESSION_NAME = 'GitHubActions'; async function assumeRole(params) { // Assume a role to get short-lived credentials using longer-lived credentials. const isDefined = i => !!i; - const {roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, sessionToken, region} = params; + const {roleToAssume, roleDurationSeconds, roleSessionName, accessKeyId, secretAccessKey, sessionToken, region} = params; assert( - [roleToAssume, roleDurationSeconds, accessKeyId, secretAccessKey, region].every(isDefined), + [roleToAssume, roleDurationSeconds, roleSessionName, accessKeyId, secretAccessKey, region].every(isDefined), "Missing required input when assuming a Role." ); @@ -160,7 +161,7 @@ async function assumeRole(params) { }); return sts.assumeRole({ RoleArn: roleToAssume, - RoleSessionName: 'GitHubActions', + RoleSessionName: roleSessionName, DurationSeconds: roleDurationSeconds, Tags: [ {Key: 'GitHub', Value: 'Actions'}, @@ -248,11 +249,12 @@ async function run() { const maskAccountId = core.getInput('mask-aws-account-id', { required: false }); const roleToAssume = core.getInput('role-to-assume', {required: false}); const roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || MAX_ACTION_RUNTIME; + const roleSessionName = core.getInput('role-session-name', { required: false }) || ROLE_SESSION_NAME; // Get role credentials if configured to do so if (roleToAssume) { const roleCredentials = await assumeRole( - {accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds} + {accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds, roleSessionName} ); exportCredentials(roleCredentials); } else { From d9fcbc740126410d986d5c24c88a01ed72df1d43 Mon Sep 17 00:00:00 2001 From: Chuan-Yen Chiang Date: Sat, 29 Feb 2020 19:10:30 +0100 Subject: [PATCH 5/6] add test code --- index.test.js | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/index.test.js b/index.test.js index 4fd674777..151c179d6 100644 --- a/index.test.js +++ b/index.test.js @@ -238,6 +238,28 @@ describe('Configure AWS Credentials', () => { }) }); + test('role assumption session name provided', async () => { + core.getInput = jest + .fn() + .mockImplementation(mockGetInput({...ASSUME_ROLE_INPUTS, 'role-session-name': 'MySessionName'})); + + await run(); + expect(mockStsAssumeRole).toHaveBeenCalledWith({ + RoleArn: ROLE_NAME, + RoleSessionName: 'MySessionName', + DurationSeconds: 6 * 3600, + Tags: [ + {Key: 'GitHub', Value: 'Actions'}, + {Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY}, + {Key: 'Workflow', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_WORKFLOW}, + {Key: 'Action', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_ACTION}, + {Key: 'Actor', Value: GITHUB_ACTOR_SANITIZED}, + {Key: 'Branch', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REF}, + {Key: 'Commit', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_SHA}, + ] + }) + }); + test('workflow name sanitized in role assumption tags', async () => { core.getInput = jest .fn() From 893f716cb841aeb2c091d59a8319ae7ad6a01b78 Mon Sep 17 00:00:00 2001 From: Chuan-Yen Chiang Date: Sun, 1 Mar 2020 09:39:47 +0100 Subject: [PATCH 6/6] update context based on comments --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 53c136a38..b3dd47086 100644 --- a/action.yml +++ b/action.yml @@ -26,7 +26,7 @@ inputs: description: "Role duration in seconds (default: 6 hours)" required: false role-session-name: - description: 'Role Session Name (default: GitHubActions)' + description: 'Role session name (default: GitHubActions)' required: false outputs: aws-account-id: