const core = require('@actions/core')
const { STSClient, AssumeRoleWithWebIdentityCommand } = require('@aws-sdk/client-sts')
const { logInfo, logError } = require('../log')
/**
* @class
*/
class AwsCredentialsService {
static resolveAwsCredentials(platformConfig) {
// If awsRoleToAssume is present, then we assume we run in a github workflow
// If awsRoleToAssume is not present, then we assume they are resolved localy by aws-sdk
if (!platformConfig.awsRoleToAssume) {
logInfo({ message: '[AwsCredentialsService] No aws role to assume was found, leaving auth logic to @aws-sdk package' })
return Promise.resolve(undefined)
}
const stsClient = new STSClient({ region: platformConfig.awsRegion })
logInfo({ message: '[AwsCredentialsService] Fetching GitHub ID token' })
return core.getIDToken('sts.amazonaws.com')
.then(webIdentityToken => {
logInfo({ message: `[AwsCredentialsService] Attempting to resolve aws credentials by assuming the role: ${platformConfig.awsRoleToAssume}` })
return stsClient.send(new AssumeRoleWithWebIdentityCommand({
RoleArn: `arn:aws:iam::${platformConfig.awsAccountId}:role/${platformConfig.awsRoleToAssume}`,
RoleSessionName: 'GitHubActions',
DurationSeconds: 15 * 60,
WebIdentityToken: webIdentityToken
}))
})
.then(responseData => ({
// Don't ask
AccessKeyId: responseData.Credentials.AccessKeyId,
SessionToken: responseData.Credentials.SessionToken,
SecretAccessKey: responseData.Credentials.SecretAccessKey,
accessKeyId: responseData.Credentials.AccessKeyId,
sessionToken: responseData.Credentials.SessionToken,
secretAccessKey: responseData.Credentials.SecretAccessKey
}))
.then(x => AwsCredentialsService.exportCredentialsToGithubWorkflow({ ...x, awsRegion: platformConfig.awsRegion }))
.catch(error => {
logError({ message: '[AwsCredentialsService] Could not resolve temporary credentials', error })
return undefined
})
}
static exportCredentialsToGithubWorkflow(params) {
// Configure the AWS CLI and AWS SDKs using environment variables and set them as secrets.
// Setting the credentials as secrets masks them in Github Actions logs
const { accessKeyId, secretAccessKey, sessionToken, awsRegion } = params
// AWS_ACCESS_KEY_ID:
// Specifies an AWS access key associated with an IAM user or role
core.setSecret(accessKeyId)
core.exportVariable('AWS_ACCESS_KEY_ID', accessKeyId)
// AWS_SECRET_ACCESS_KEY:
// Specifies the secret key associated with the access key. This is essentially the "password" for the access key.
core.setSecret(secretAccessKey)
core.exportVariable('AWS_SECRET_ACCESS_KEY', secretAccessKey)
// AWS_SESSION_TOKEN:
// Specifies the session token value that is required if you are using temporary security credentials.
if (sessionToken) {
core.setSecret(sessionToken)
core.exportVariable('AWS_SESSION_TOKEN', sessionToken)
} else if (process.env.AWS_SESSION_TOKEN) {
// clear session token from previous credentials action
core.exportVariable('AWS_SESSION_TOKEN', '')
}
if (awsRegion) {
core.exportVariable('AWS_REGION', awsRegion)
} else if (process.env.AWS_REGION) {
// clear AWS_REGION from previous credentials action
core.exportVariable('AWS_REGION', '')
}
return params
}
}
module.exports = {
AwsCredentialsService
}