Hello,

What would be the suggested approach for multi-account deployments?
Let's say I have "stage" and "live" accounts. Should I have one workflow that covers deployment to all environments in stage and live, or should I have separate workflows, one for stage one for live?

Also, in the scenario of workflow-per-account I would have fairly large duplicate yaml codebase, and in the case of one workflow, there is an issue with passing STAGE and LIVE creds.

Please advise. thank you

We have keys , secret access key for iAM user (deployer) in one account, want to assume role in another account (devops).

Got this error

##[error]User: arn:aws:iam:::user/deployer is not authorized to perform: sts:TagSession on resource: arn:aws:iam:::role/devops

We use Github Workflows for several projects. Some of them won't work with the configure-aws-credentials action. The workflow gets triggered and fails during the configure-aws-credentials action with the following error message: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers. It works if I restart the workflow manually.

Most of the Github workflows are triggered due to a Dependabot created PR. What drives me nuts is that it works for some Github Workflows but for other it never works (just by manually rerunning the workflow).

An example workflow looks like this

name: Pull Request

on:
  pull_request:
    branches: 
      - master
    types: [opened, synchronize, reopened]

jobs:        
  build:
    name: My Fancy Build Job

    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.MY_AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.MY_AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1

      - name: Use Node.js 12
        uses: actions/setup-node@v2
        with:
          node-version: '12'

      - name: Get yarn cache directory path
        id: yarn-cache-dir-path
        run: echo "::set-output name=dir::$(yarn cache dir)"

      - name: Cache yarn cache
        uses: actions/cache@v2
        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
        with:
          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            ${{ runner.os }}-yarn-
      - name: Install
        run: yarn install --prefer-offline --frozen-lockfile
      
      - name: ESLint
        run: yarn lint

      - name: Test
        run: yarn test

The corresponding dependabot.yml could look like this

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    labels:
      - "dependencies"
    ignore:
      - dependency-name: "aws-cdk"
      - dependency-name: "@aws-cdk/*"
    reviewers:
      - "steffen"

If I use this action to assume a role in a given region in a given account, perform some actions, and then try to assume a different role in the same region and the same account, it looks like the action defaults to using the first role to assume the second role.

In this case, I'm trying to use the first role (source role) to copy from a source S3 bucket to a local store, assuming the second role (target role), and using that second role to copy to a target S3 bucket.

My action looks generally like this:

---
name: Deploy

on:
  workflow_dispatch:

env:
  MY_AWS_REGION: us-west-2
  MY_TARGET_S3_BUCKET: foo-target
  MY_AWS_ACCOUNT_ID: ${{ secrets.MY_AWS_ACCOUNT_ID }}
  MY_SRC_S3_BUCKET: foo-src

jobs:
  build_and_deploy:
    runs-on: [self-hosted, linux, small]
    name: Deploy to S3
    timeout-minutes: 10
    steps:
      - name: Get AWS credentials for source S3 bucket 
        id: get-src-creds
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ${{ env.MY_AWS_REGION }}
          role-to-assume: arn:aws:iam::${{ env.MY_AWS_ACCOUNT_ID }}:role/foo-src
          role-duration-seconds: 1800

      - name: Copy from source S3 bucket
        id: copy-from-s3
        shell: bash
        run: |
          aws s3 sync --only-show-errors --no-progress --delete  "s3://${MY_SRC_S3_BUCKET}" ${GITHUB_WORKSPACE}

      - name: Get AWS credentials for target S3 bucket
        id: get-target-creds
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ${{ env.MY_AWS_REGION }}
          role-to-assume: arn:aws:iam::${{ env.MY_AWS_ACCOUNT_ID }}:role/foo-target
          role-duration-seconds: 1800

      - name: Copy to target S3 bucket
        id: copy-to-s3
        shell: bash
        run: |
          aws s3 sync --only-show-errors --no-progress --delete  ${GITHUB_WORKSPACE} "s3://${MY_TARGET_S3_BUCKET}" 

When running that action, the source role assumption succeeds and I'm able to copy files from the source S3 bucket.

The target role assumption fails with the following error:

Error: User: arn:aws:sts::***:assumed-role/foo-src/GitHubActions is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::***:role/foo-target

That error is true; the source role is not authorized to assume the target role.

My assumption was that the action would use the self-hosted runner's instance profile and associated role to assume the second role (which is how it assumed the first role), rather than using the first role to assume the second role.

Is there a workaround to assume a second role in the same region and account where a first role was assumed? Should I instead be passing some sort of flag to tell the action unset all the environment variables it previously set before it tries to assume a new role?

script tag in lint is not in use.

Hi there, apologise for such a basic issue - been banging my head against the desk for far too long on this 😬

Attempting to get this working with GitHub Actions (GitHub-hosted runner) and I can't seem to get this to work at all:

name: CICD
on:
  - push
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: eu-west-2

Always results in:

> Run aws-actions/configure-aws-credentials@v1
##[error]The security token included in the request is invalid.
(node:2546) UnhandledPromiseRejectionWarning: InvalidClientTokenId: The security token included in the request is invalid.
    at Request.extractError (/home/runner/work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:2473:29)
    at Request.callListeners (/home/runner/work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:30526:20)
    at Request.emit (/home/runner/work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:30498:10)
    at Request.emit (/home/runner/work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:8502:14)
    at Request.transition (/home/runner/work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:7836:10)
    at AcceptorStateMachine.runTo (/home/runner/work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:15674:12)
    at /home/runner/work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:15686:10
    at Request.<anonymous> (/home/runner/work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:7852:9)
    at Request.<anonymous> (/home/runner/work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:8504:12)
    at Request.callListeners (/home/runner/work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:30536:18)
(node:2546) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
(node:2546) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

So, for sanity's sake I added this in just before configure-aws-credentials:

steps:
  - run: aws sts get-caller-identity
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_REGION: eu-west-2

Which always returns:

> Run aws sts get-caller-identity

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.
##[error]Process completed with exit code 255.

I can confirm the credentials work on my Mac - aws sts get-caller-identity returns a JSON block with the UserId, Account & user's Arn. These are user credentials with the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "sts:GetCallerIdentity",
            "Resource": "*"
        }
    ]
}

(I also temporarily gave it Administrator permissions yesterday to confirm it wasn't a permissions issue, to no effect)

The secrets are organisation-wide & I am certain are being pulled through - another secret I have is a SLACK_WEBHOOK_URL which is used to report that the builds fail (because of the error mentioned above!).

Is there any additional setup required with GitHub Actions to get this to work out-of-the-box that I'm missing?

Thanks,

context

I noticed that from a previous issue and subsequent pull request that this feature should be supported. I'm using the following yaml but it's not working as expected.

I'm on Amazon Linux 2 self-hosted EC2 instances.

I tried this

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1

which returns Error: Input required and not supplied: aws-region

I tried this

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: us-east-2

which returns

Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers

references

• @jwoltman's issue #33
• @clareliguori 's PR #42

similar issues in other projects

• docker/login-action#64
• aws-actions/amazon-ecr-login#174

Is there any way to use the new workflow input features to request for a 2fa code when getting temporary credentials and put them in during the steps?

I am receiving:

Configure AWS Credentials
Run aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ***
aws-secret-access-key: ***
aws-region: ***

##[error]The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

• The first run with this access-key-id & aws-secret-access-key worked. Every consecutive run is failing.
• This same access-key-id & aws-secret-access-key works consistently in circleci
• Tried with aws-actions/[email protected] and received the same results

Config:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}

Looks like a problem with: AWS Signature Version 4 Key Signing Errors
https://docs.aws.amazon.com/general/latest/gr/signature-v4-troubleshooting.html

Any suggestions?

Hello!

I can see that other actions in other steps are able to access AWS_* credentials set by aws-actions/configure-aws-credentials@v1:

Is there any flag like persist-credentials: false that i can use to unset those envars at the end of the step (like one in actions/checkout)?

Here is the workflow snips i use in my yaml file:

jobs:
  myjob:
    runs-on: windows-2016
    steps:

      # Do some stuff

      # Setup AWS CLI credentials
    - name: 'Configure AWS creds'
       uses: aws-actions/configure-aws-credentials@v1
       with:
         aws-access-key-id: ${{ secrets.MY_AWS_ACCESS_KEY_ID }}
         aws-secret-access-key: ${{ secrets.MY_AWS_SECRET_ACCESS_KEY }}
         aws-region: us-east-1

      # Publish to S3 
    - name: 'Copy to S3 bucket'
       run: |
         aws s3 cp ${{ github.workspace }}\foo\  s3://my-s3-bucket/bar/ --recursive --exclude "*" --include "*.baz"
       shell: pwsh

      # Send Slack notification
    - name: 'Slack channel notification'
       uses: 8398a7/action-slack@v3
       env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
       # other slack action config

Thanks in advance!

Certain workflows don't set a GITHUB_REF variable, because the triggering event doesn't have a branch or tag. See GitHub's docs on GITHUB_REF.

However, this action fails with an error when the GITHUB_REF environment variable doesn't exist, with the output ##[error]Missing required environment value. Are you running in GitHub Actions?.

We are using the AWS Deploy CloudFormation Stack Github Action to configure AWS accounts that are created via AWS Organizations.

Of course, we are first using this action for credential configuration and assuming a role. However, this credential action does session tagging which requires the sts:TagSession permission. This need for tagging is of course documented in the readme of this action. However, in our case, the tag is needed in the trust policy of the OrganizationAccountAccessRole in the member account that is created by AWS Organizations.

This results in manual effort/intervention to our automated process. We have to configure the root user for the member account created by AWS Organizations to add the permission to the trust policy.

Would it be possible to make the session tagging optional?

We name our branches with a specific pattern that starts with a # followed by digits and other chars like #2-bit-ref-r.

But when executing the configure-aws-credentials action it fails since the name does not match the required regex pattern.

1 validation error detected: Value 'refs/heads/#2-bit-ref-r' at 'tags.7.member.value' failed to satisfy constraint: Member must satisfy regular expression pattern: [\p{L}\p{Z}\p{N}_.:/=+\-@]*

Since for github it's a valid branch name it should also be accepted by this action.

Hello!

It'd be nice to be able to pass custom tags in the session tagging, especially if the values can be GitHub Secrets.
We have some concerns around the power of the user that is required to make changes within our environments using GitHub Actions. Being able to pass custom tags, would enable us to create alarms, or possibly create restrictions based on missing tags in requests. You can't do this currently as all the tags are known and in plain text.

Cheers,

The error message is
Error: EACCES: permission denied, open '/__w/_temp/_runner_file_commands/set_env_ce6e4009-aa1a-48b8-ab8b-8c217be6610f'

It looks like it happens more often than before. Not quite sure what would be the workaround solution for it.

Thanks for making this available!

Following the instructions in the README, I have added this block in my action config

    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1

And I am getting the error in the title of the issue (see here). Am I missing something?

Thanks again!

Hi, I am trying to assume a role with an instance profile but it keeps saying that the token request is invalid. The instance is a Self-Hosted GitHub Runner that has the ability to assume a role (dev_terraform) within the AWS console but does not have full access to AWS.

Below is the permissions policy for the instance profile to assume the role (dev_terraform):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession",
                "sts:GetFederationToken"
            ],
            "Resource": "dev_terraform"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "sts:GetSessionToken",
                "sts:GetAccessKeyInfo",
                "sts:GetCallerIdentity",
                "sts:GetServiceBearerToken"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "cloudformation:*",
            "Resource": "*"
        }
    ]
}

The permissions policy for the role that is being assumed (dev_terraform) has full admin access to the AWS environment. Below is the trust policy for the role that is being assumed (dev_terraform):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "dev_github_runner"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Lastly, here is the github workflow I am trying to run:

name: Deploys CF from GH Runner

on:
  push:
    paths:
    - '.github/workflows/deployAwsCf.yml'

jobs:
  build:
    env:
      NODE_TLS_REJECT_UNAUTHORIZED: 0
      GIT_SSL_NO_VERIFY: true
    runs-on: [aws-ubuntu-runner]
    steps:
    - uses: actions/checkout@v2
    - uses: actions/configure-aws-credentials@v1
      with:
        aws-region: us-east-1
        role-to-assume: dev_terraform
#        role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
#        role-duration-seconds: 3600
#        role-session-name: CloudFormationSession

I have tried both this method and the role-to-assume method but neither of them work. I would like to know if I am missing anything else. I have tested the aws cli command on the virtual machine itself and it has worked successfully. Attached is the log file for the GitHub action.

log_553.txt

Is it possible to also setup multiple profiles which can be used?

Hi 👋 I just noticed the deprecation warning for actions/aws/cli ("This actions has been deprecated in favor of https://github.com/aws-actions. This repo has been archived and will be made private on 12/31/2019") and wanted to ask about replacement steps.

Currently I have a workflow defined as:

- name: Upload S3
  uses: actions/aws/cli@master
  env:
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  with:
    args: s3 cp ./results/ s3://reports/results/ --recursive

I didn't see any other aws/cli Action within the aws-actions organization. Is there a way to call the s3 CLI from Actions now?

Sorry if I didn't see the proper migration steps and thanks for the Action/project 🙏

I'm using my own self-hosted runner which runs in AWS. The runner instance has IAM Role which takes care of the all the credentials and policies so I don't need to store any AWS credentials outside AWS.

The IAM role allows the runner to do a 'aws sts assume-role' but doesn't need any credentials (uses IAM role).
I would like to use this Github Action to do the assume-role, instead of scripting it myself and set the credential output as environment variable so I can use them in all the following steps, but currently AWS_ACCESS_KEY_ID and AWS_SECRET_ACCES_KEY are required. I would like to them to be optional so it fits the use case when using IAM roles which is a best-practice.

Currently the default for role-duration default is 6 hours:

documented here:

The rationale behind this is described in the code here:

That's a sensible default. I'd like to propose lowering the default to one hour to make the experience nicer for role-chaining. See [the footnote on this page]:

Using the credentials for one role to assume a different role is called role chaining. When you use role chaining, your new credentials are limited to a maximum duration of one hour. When you use roles to grant permissions to applications that run on EC2 instances, those applications are not subject to this limitation.

How does this come up for us? We have an automation that rotates IAM tokens in our GitHub repos. It uses temporary role tokens (with a 12 hour lifetime, rotated every 6 hours). For repos that need multiple roles we generate a "hub role" restricted to assuming that repos different roles (with an explicit deny for everything else). We install tokens for this "hub role" into the repos secrets. The error message that happens is easy to understand:

##[error]The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining.

If we could pick a default from the start, I think 1 hour would make a bit more sense, just so that this case was smooth. I think it's not a very niche case but I'm not sure. One hour is still a reasonably long time for a build, and setting role-session-duration to 6 hours explicitly would still work.

If you're uncomfortable lowering the default, I understand. If you want a PR I'd be happy to do that.

At the very least, posting this so it shows up if someone searches for the error.

Hi 👋
I've just been trying to use the new role-assuming feature in master, but I've run into an issues with the session tagging.

I'm getting the following error:

##[error]1 validation error detected: Value 'dependabot-preview[bot]' at 'tags.5.member.value' failed to satisfy constraint: Member must satisfy regular expression pattern: [\p{L}\p{Z}\p{N}_.:/=+\-@]*
##[error]Node run failed with exit code 1

My theory is that this is caused by tagging the session with the GITHUB_ACTOR environment variable.
In this line, the session is tagged with GITHUB_ACTOR.

The actor of the run (and so GITHUB_ACTOR) was dependabot-preview[bot].
It seems that [ and ] are not valid characters in AWS session tags, and so this is crashing the program.

Seems like the tag must be removed or the variable sanitised.

I'm wonder if there might be a way to allow access to multiple AWS accounts. I've built an action that packages my code with all of my dependencies and installs the package as a lambda layer. What I'd like to be able to do is have the layer installed in the sandbox account (I'm using Organizations) so that the branch gets installed into their account.

So something like (not exactly sure what the YAML syntax would be):

       - name: Configure AWS credentials                                         
          uses: aws-actions/configure-aws-credentials@v1                          
          with:                                                                   
            aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_github.actor}}                                            
            aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_github.actor }}           
            aws-region: us-east-2    

and then specify all of the accounts in github secrets with user names appended - for example AWS_ACCESS_KEY_ID_wyllie. The idea would be that a developer would get a new version of the layer to test with their lambda functions whenever they push their code.

I guess a work around would be to have all the layers in one account and have them accessible to the sandbox accounts - I'm not sure if that would be an easy thing to configure though

It would be handy if the action could also have a flag install_cli: true|false, default false in order to install the latest cli on self-hosted runners.
Related #113

Dependabot encountered the following error when parsing your .dependabot/config.yml:

Automerging is not enabled for this account. You can enable it from the [account settings](https://app.dependabot.com/accounts/aws-actions/settings) screen in your Dependabot dashboard.

Please update the config file to conform with Dependabot's specification using our docs and online validator.

Use aws credential like below,

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-session-token: ${{secrets.AWS_SESSION_TOKEN}}
        aws-region: cn-northwest-1

Got below error,

Run aws-actions/configure-aws-credentials@v1
##[error]Inaccessible host: `sts.cn-northwest-1.amazonaws.com'. This service may not be available in the `cn-northwest-1' region.

According to the doc of AWS China region, the correct endpoint of STS in China region is sts.cn-northwest-1.amazonaws.com.cn. Of course, cn-northwest-1 will be replaced as cn-north-1 in BJS region.

Hi everyone! Thanks for this amazing GH action. I have been using it almost over the past 2 years and it's being great!

I have a repository that was inactive for almost one year. Last weekend I tried to upgrade some dependencies and after merging to the main branch, I got an error in the deploy step with AWS CDK:

[Error at /MyStack] Need to perform AWS calls for account ***, but no credentials have been configured

Here's my GitHub Action file:

name: Server Deploy on staging

on:
  push:
    branches:
      - main

jobs:
  # DEPLOY SERVER STAGING
  server-deploy-staging:
    name: Deploy Server on Staging
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v1
        with:
          node-version: '14.17'
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_STAGING }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGING }}
          aws-region: us-east-1
      - name: Cache yarn.lock
        id: yarn-cache
        uses: actions/cache@master
        with:
          path: |
            node_modules
            */*/node_modules
          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            ${{ runner.os }}-yarn-
      - name: Install
        if: steps.yarn-cache.outputs.cache-hit != 'true'
        run: |
          yarn install --frozen-lockfile --production=false --non-interactive
      - name: Deploy Server on Staging
        run: |
          cdk deploy MyStack \
            -c mode=staging \
            -c account='123' \
            --require-approval=never \
            --profile=my-profile

Any thoughts on why am I seeing this error?

The step Configure AWS Credentials is running successfully

Request

It would be great if this action could support session policies (the Policy parameter for AssumeRole operation) for assumed roles.

Problem being solved

Inline policies help IAM users apply permission boundaries to roles being assumed. This may help prevent accidents in a job or otherwise limit the scope in which the assumed role can be used thus improving security posture.

Use cases

Limiting permissions of a role based on action being taken

For example, a role may be specified as an organization secret with access to update many CloudFormation stacks. An inline policy might be used to reduce the permissions to a subset of resources, such as denying access to RDS resources or denying access when tags do not match expected tags for the project.

An example inline policy denying CloudFormation actions to resources with unexpected tags:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Deny",
         "Action":"CloudFormation:*",
         "Resource":"*",
         "Condition": {"StringNotLikeIfExists": {"aws:ResourceTag/CUSTOM_TAG": "my-tag-value"}}
      }
   ]
}

Limiting source IP for assumed role dynamically

One might use a session policy to ensure the temporary credentials generated by this action are limited to the source IP address of the GitHub action runner. Thus, if the temporary credentials are exfiltrated, they won't be (as) useful to an attacker.

For example, an inline policy may be generated dynamically by resolving the public IP of the GitHub runner, only allowing AWS actions to be taken from the current IP address (could be used with haythem/public-ip action)

Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html

Proposed usage

Usage might look like this:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - name Configure Inline Policy
      id: inline-policy
      uses: FICTIONAL_EXAMPLE@example
      with:
        some-param: value
      # outputs JSON policy string as `.policy`


    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
        aws-region: us-east-2
        role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
        assume-role-policy:  ${{ steps.inline-policy.outputs.policy }}

Hi,
aws-actions/configure-aws-credentials@v1 by default generate credentials under default profile.
It would be nice to have a parameter to set AWS_PROFILE environment variable.

Running version 1.5.0 and started seeing this warning:

The `set-env` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

More details:
https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

For cases where roles can only be assumed on condition an expected external-id is passed in.

https://github.com/aws-actions/configure-aws-credentials/network/alert/package-lock.json/minimist/open

Traced the dependency graph and it appears like jest->@jest/core->jest-config->babel/core->json5 2.1.1 ->minimist ^1.2.0. Since it's a transitive dependency, we can not directly update minimist directly.

Going to create a pull request against json5.

I am using this action to upload to s3, but my AWS_SECRET_ACCESS_KEY will expire after 30mins. I have a case where sometimes my script will take more than 30mins to execute and meanwhile this AWS_SECRET_ACCESS_KEY will expire. How to handle this kind of case?
For example:

steps:
      - uses: actions/checkout@master
      - run: bash script-run-more-time.sh # This might take more than 30mins
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
          aws-region: us-east-2

Github recently released the feature to setup secrets at organization level.
I tried setting up AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY there and tried to use them with the action like:

    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1

But the actions fails:

Run aws-actions/configure-aws-credentials@v1
  with:
    aws-region: us-east-1
  env:
    PATH: /home/runner/.rubies/ruby-2.7.0/bin:/usr/share/rust/.cargo/bin:/home/runner/.config/composer/vendor/bin:/home/runner/.dotnet/tools:/snap/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/home/linuxbrew/.linuxbrew/bin:/home/linuxbrew/.linuxbrew/sbin
##[error]Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1

I tried setting the same secrets at repo level and it works.

Hello there,

it would be really nice to set a HTTP or HTTPS proxy server in the step configuration, or to just pass through the already set environmental settings of the runner.

If it is already possible and I just missed it where to set it, let me know.

The readme indicates that web-identity-token-file is present in @v1

You can configure your workflow as follows in order to use this file:

uses: aws-actions/configure-aws-credentials@v1
with:
  aws-region: us-east-2
  role-to-assume: my-github-actions-role
  web-identity-token-file: /var/run/secrets/eks.amazonaws.com/serviceaccount/token

However it appears this functionality was added 4th August and the module has not been released since then. Hence you cannot use this feature as it is documented.

I have worked around this by

uses: aws-actions/configure-aws-credentials@master

But I cannot recommend this to others, as it does not pin the module to a stable (or released) version. However this may be worth either documenting, or removing the documentation until it has been released.

I have a scenario where I would like to have the capability to re-run the "configure-aws-credentials" action again using the same account but different roles inside the same job.

Is there a way to log out/reset/forget the credentials of the first run? My current option is to revert to bash and that is pretty verbose.

Thank you

The Github runner cannot resolve the STS client hostname when the aws-region is passed as an environment variable argument:

I fixed this issue by passing in the argument manually, however 816f5cc introduced a change that broke previously working workflows.

Hi.

I am using aws-actions/configure-aws-credentials@v1 and doing some ECR steps, after which i run a custom action similar to the below code, in which i set some env vars for awscli with different AWS credentials (key_id+secret) than those used with this action.

runs:
  ...
  inputs:
    aws_region:
      required: true
    aws_key:
      required: true
    aws_secret:
      required: true
  env:
    AWS_DEFAULT_REGION: ${{ inputs.aws_region }}
    AWS_ACCESS_KEY_ID: ${{ inputs.aws_key }}
    AWS_SECRET_ACCESS_KEY: ${{ inputs.aws_secret }}
  using: 'docker'
  image: 'docker://example/toolkit:latest'
  args:
    - 'bash'
    - '-c'
    - 'printenv | grep -i aws && aws configure list && aws sts get-caller-identity --output json | jq'

The vars are present both as standalone and those prefixed with INPUT_, but after seeing the output of aws configure list and aws sts get-caller-identity i find out that the credentials are not those i set manually, but those populated by configure-aws-credentials from previous steps.

So my questions are:

• Why do they propagate and take precedence over the ones i set specifically in my custom action?
• How can we reset credentials and vars or do a cleanup after using configure-aws-credentials action?

When the workflow name has a comma, the action fails with this error:

##[error]1 validation error detected: Value 'Build, Test and Deploy API' at 'tags.3.member.value' failed to satisfy constraint: Member must satisfy regular expression pattern: [\p{L}\p{Z}\p{N}_.:/=+\-@]*

Hi.

I have a github workflow in which i use 2 sets of credentials coming from secrets. Both are just key, secret and region, no assume roles etc.

I run aws-actions/configure-aws-credentials@v1 with the first set of access_key_id+secret_key, then do a ECR login, docker build and push and then ECR logout all being successful.

After that i run aws-actions/configure-aws-credentials@v1 with the second set of access_key_id+secret_key which runs successfully also and then try to do a sts get-calller-identity or s3 ls but get the same error on both:

An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

So to debug i removed everything except the call with the second set of credentials, and now i get the error on the action level, which used to go through without error when i was doing the ECR stuff first.

Run aws-actions/configure-aws-credentials@v1

##[error]The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

P.S. I tested the second pair of credentials locally on my pc with the same python and awscli versions and i was able to run sts get-calller-identity without any problems.

I have already checked related issues #202 #188 , but in my case I am not using Dependabot.

This is my pipeline.yaml truncated till this action:

name: My Deployment
on:
  push:
    branches:
      - master

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Setup node
        uses: actions/setup-node@v2
        with:
          node-version: '14'
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ap-southeast-1
          role-to-assume:arn:aws:iam::000000000000:role/github-actions-matteogioioso-saml-proxy
          role-session-name: GitHubActions
      
        ....

This is my trust relationship for that role:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::000000000:oidc-provider/vstoken.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "vstoken.actions.githubusercontent.com:sub": "repo:MatteoGioioso/saml-proxy:*"
        }
      }
    }
  ]
}

This is my OICD provider setup in IAM

And this is the error:

Run aws-actions/configure-aws-credentials@v1
  with:
    aws-region: ap-southeast-1
    role-to-assume: arn:aws:iam::000000000000:role/github-actions-matteogioioso-saml-proxy
    role-session-name: GitHubActions
Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers

I am not using a self-hosted runner

What am I doing wrong? Maybe the audience?

Thanks

UPDATE:

it seems like this method return false, because you do not validate credentials in the assumeRole method:

    const useGitHubOIDCProvider = () => {
        // The assumption here is that self-hosted runners won't be populating the `ACTIONS_ID_TOKEN_REQUEST_TOKEN`
        // environment variable and they won't be providing a web idenity token file or access key either.
        // V2 of the action might relax this a bit and create an explicit precedence for these so that customers
        // can provide as much info as they want and we will follow the established credential loading precedence.
        return roleToAssume && process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN && !accessKeyId && !webIdentityTokenFile
    }

honestly I cannot find a way to echo this variable ACTIONS_ID_TOKEN_REQUEST_TOKEN

UPDATE 2:

ok, this variable ACTIONS_ID_TOKEN_REQUEST_TOKEN is not set, I am not sure why is not there and also I cannot find much information about it.

I am willing to submit a PR if needed.

Generally, this action appears to expose the aws cli to subsequent actions, however, on a self-hosted MacOS runner I get the following error:

/Users/runner/actions-runner/_work/_temp/***.sh: line 1: aws: command not found

With config:

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2
      
      - name: Upload Artifacts to Primitive S3 Artifacts Manager
        run: |
          aws configure set default.s3.multipart_threshold 300MB

Exact same logic passes on ubuntu-latest github-hosted runner. Looking at documentation, it is suggested that self-hosted runners do not actually require any additional setup, docs only mention the convenience of not passing around secrets. However, this does not actually appear to be the case.

Installing AWS CLI manually on runner had no affect. Installed with sudo, and it worked.

README.md should be updated to reflect this requirement.

ARNs of Users/Roles should be masked in case of a failure e.g. insufficient role assumption privileges

https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html

I have a setup where I need to assume a role using a web identity token, AWS CLI commands below:

aws sts assume-role-with-web-identity \
 --role-arn $AWS_ROLE_ARN \
 --role-session-name mysession \
 --web-identity-token file:///var/run/secrets/eks.amazonaws.com/serviceaccount/token \
 --duration-seconds 1000 > /tmp/irp-cred.txt

export AWS_ACCESS_KEY_ID="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.AccessKeyId")"
export AWS_SECRET_ACCESS_KEY="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.SecretAccessKey")"
export AWS_SESSION_TOKEN="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.SessionToken")"

Expected Action YAML:

    steps:
      - uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: eu-west-1
          role-to-assume: arn:aws:iam::xxxxxxxxx:role/role_name_to_assume
          web-identity-token: /var/run/secrets/eks.amazonaws.com/serviceaccount/token

The context to this is I have a pod running on a EKS cluster and EKS IRSA is not an option.

getInput always returns a string, and this action doesn't convert the return value to a boolean. So if you specify role-skip-session-tagging: false, you won't get session tagging.

The obvious workaround is to just remove the role-skip-session-tagging option instead of specifying role-skip-session-tagging: false, but it's definitely confusing that role-skip-session-tagging: false doesn't work as expected.

As of 8/3/2020, we are seeing below error when using

##[error]Missing required environment value. Are you running in GitHub Actions?

- name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: ${{ env.G_AWS_REGION }}
    role-to-assume: arn:aws:iam::${{ env.G_AWS_ACCOUNT_ID }}:${{ env.G_ROLE_ASSUME }}
    role-duration-seconds: 1200

to debug further, when we printed all the env variables ( GITHUB_REPOSITORY, GITHUB_WORKFLOW, GITHUB_ACTION, GITHUB_ACTOR, GITHUB_REF, GITHUB_SHA ) , we noticed GITHUB_ACTION to be empty.

Appreciate any help to get this fixed.

The current version of amazon-ecr-credential-helper, v0.4.0, requires:

    AWS_EC2_METADATA_DISABLED: true
    AWS_SDK_LOAD_CONFIG: true

in order to load the IAM Role for Service Account (IRSA) when run under Kubernetes.

Fortunately, configure-aws-credentials does not require those settings to work with IRSA, but unfortunately they do cause configure-aws-credentials to fail when there is no ~/.aws/credentials file:

internal/fs/utils.js:220
    throw err;
    ^

Error: ENOENT: no such file or directory, open '/home/runner/.aws/credentials'
    at Object.openSync (fs.js:440:3)
    at Object.readFileSync (fs.js:342:35)
    at Object.readFileSync (/runner/_work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:598:38)
    at IniLoader.parseFile (/runner/_work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:6500:47)
    at IniLoader.loadFrom (/runner/_work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:6550:30)
    at Config.region (/runner/_work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:13483:36)
    at Config.set (/runner/_work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:13150:39)
    at Config.<anonymous> (/runner/_work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:12985:12)
    at Config.each (/runner/_work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:1010:32)
    at new Config (/runner/_work/_actions/aws-actions/configure-aws-credentials/v1/dist/index.js:12984:19) {
  errno: -2,
  syscall: 'open',
  code: 'ENOENT',
  path: '/home/runner/.aws/credentials'
}

This is using the current @v1 which points to commit 32d908a.

I would like/expect this situation to be handled, since in this case credentials come not from EC2 metadata or ~/.aws/credentials but instead from $AWS_WEB_IDENTITY_TOKEN_FILE, and everything works fine without those settings that amazon-ecr-credential-helper needs.

The action default for role-duration-seconds is 6 hours but the CLI default is 1 hour. I think these defaults should be consistent.