Skip to content

Commit

Permalink
feat(actions): Create aws-auth composite action (#67)
Browse files Browse the repository at this point in the history 
* create action to authenticate to aws

* make adjustments to inputs

* add readme

* drop references to "chain" in inputs

* refactor input descriptions

* let users input `aws-region`

* update example to include aws region as an input

* fix persistence of aws region env vars
  • Loading branch information
@nafisat2
nafisat2 authored Mar 22, 2024
1 parent b51270c commit 49b9885
Show file tree
Hide file tree
Showing 2 changed files with 126 additions and 0 deletions.
41 changes: 41 additions & 0 deletions actions/aws-auth/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# aws-auth

This is a composite GitHub Action used to authenticate and access resources in AWS.

Example usage in a repository:

```yaml
name: Authenticate to AWS
on:
pull_request:

permissions:
id_token: write

jobs:
build:
runs-on: ubuntu-latest

steps:
- id: aws-auth
uses: grafana/shared-workflows/actions/aws-auth@main
with:
aws-region: "us-west-1"
role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/github-actions/<WORKLOAD_ROLE>"
pass-claims: "repository_owner, repository_name, job_workflow_ref"
set-creds-in-environment: true
```
## Inputs
| Name | Type | Description |
|----------------------------|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `aws-region` | String | Specify AWS region to use that contain your resources (default: `us-east-2`) |
| `role-arn` | String | Specify custom workload role. Role ARN must be prefixed with `github-actions` e.g. `arn:aws:iam::366620023056:role/github-actions/s3-test-access` |
| `pass-claims` | String | `, `-separated list of [GitHub Actions claims](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) (session tags) to make available to `role-arn`. Currently supported claims (default): `"repository_owner, repository_name, job_workflow_ref"` [^1] |
| `set-creds-in-environment` | Bool | Set environment variables for AWS CLI and SDKs (default: `true`) |
| `role-duration-seconds` | String | Role duration in seconds (default: `"3600"`) |

[^1]: GitHub OIDC token claims must be mapped to the Cognito identity pool before they can be used. If you would like to use a claim that is not listed, file an issue in this repo or reach out to `@platform-productivity` in `#platform`.

This uses the [`cognito-idpool-auth`](https://github.com/catnekaise/cognito-idpool-auth) action to perform authentication with an Amazon Cognito Identity Pool using the GitHub Actions OIDC access token.
85 changes: 85 additions & 0 deletions actions/aws-auth/action.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
name: Authenticate to AWS
description: Authenticate to AWS from GitHub Actions via OpenID Connect

inputs:
aws-region:
default: "us-east-2"
required: true
description: "AWS region"
role-arn:
default: ""
required: true
description: "ARN of workload role"
pass-claims:
default: "repository_owner, repository_name, job_workflow_ref"
required: true
description: "`, `-separated claims from GitHub ID token to make available to `role-arn`"
set-creds-in-environment:
default: true
required: false
description: "Set environment variables for AWS CLI and SDKs"
role-duration-seconds:
default: "3600"
required: false
description: "Role duration in seconds"

outputs:
aws_access_key_id:
description: "AWS Access Key Id"
value: ${{ steps.auth.outputs.aws_access_key_id }}
aws_secret_access_key:
description: "AWS Secret Access Key"
value: ${{ steps.auth.outputs.aws_secret_access_key }}
aws_session_token:
description: "AWS Session Name"
value: ${{ steps.auth.outputs.aws_session_token }}
aws_region:
description: "AWS Region"
value: ${{ steps.aws_region.outputs.value }}
cognito_identity_oidc_access_token:
description: "Cognito Identity OIDC Access Token"
value: ${{ steps.auth.outputs.cognito_identity_oidc_access_token }}

runs:
using: composite
steps:
- id: auth
uses: catnekaise/cognito-idpool-auth@83ae9e159de469b3acd87ecb361d6b5957ee35ae # v1.0.1
with:
cognito-identity-pool-id: "us-east-2:3a4bca79-07af-4921-a9fb-e21475708406"
auth-flow: "enhanced"
aws-region: "us-east-2"
audience: "github-actions-cognito-identity-pool"
aws-account-id: "590183704419"
chain-role-session-name: "GitHubActions"
chain-role-arn: "${{ inputs.role-arn }}"
chain-role-duration-seconds: "${{ inputs.role-duration-seconds }}"
chain-pass-claims: "${{ inputs.pass-claims }}"
chain-set-in-environment: "${{ inputs.set-creds-in-environment }}"

- id: aws_region # Pulled from catnekaise/cognito-idpool-auth/action.yml
shell: bash
env:
AWS_REGION: "${{ inputs.aws-region }}"
AWS_DEFAULT_REGION: "${{ inputs.aws-region }}"
run: |
value=""
if [ ! -z "${AWS_REGION}" ] && [ ! -z "${AWS_DEFAULT_REGION}" ]; then
value="$AWS_REGION"
fi
if [ -z "$value" ]; then
echo "Unable to resolve what AWS Region to use"
exit 1
fi
# Some-effort validation of aws region
if echo "$value" | grep -Eqv "^[a-z]{2}-[a-z]{4,9}-[0-9]$"; then
echo "Resolved value for AWS Region is invalid"
exit 1
fi
echo "value=$value" >> "$GITHUB_OUTPUT"
echo "AWS_REGION=${AWS_REGION}" >> "$GITHUB_ENV"
echo "AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}" >> "$GITHUB_ENV"

0 comments on commit 49b9885

Please sign in to comment.