commit | 816f5cc0cf79541b2a6d639e8f93ae43aadaf09c | [log] [tgz] |
---|---|---|
author | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | Thu Mar 05 19:16:24 2020 +0000 |
committer | GitHub <noreply@github.com> | Thu Mar 05 19:16:24 2020 +0000 |
tree | 47d7ebc9c35e598b63eeb1d2dbc49304573f05d6 | |
parent | a5771a059f822a1eb80af29306bfa3bda2b49240 [diff] |
fix: mask both source and role credentials (#40)
Configure AWS credential and region environment variables for use in other GitHub Actions. The environment variables will be detected by both the AWS SDKs and the AWS CLI to determine the credentials and region to use for AWS API calls.
Add the following step to your workflow:
- name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-east-2
For example, you can use this action with the AWS CLI available in GitHub's hosted virtual environments.
jobs: deploy: name: Upload to Amazon S3 runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | aws s3 sync . s3://my-s3-website-bucket
See action.yml for the full documentation for this action's inputs and outputs.
We recommend following Amazon IAM best practices for the AWS credentials used in GitHub Actions workflows, including:
If you would like to use the static credentials you provide to this action to assume a role, you can do so by specifying the role ARN in role-to-assume
. The role credentials will then be configured in the Actions environment instead of the static credentials you have provided. The default session duration is 6 hours, but if you would like to adjust this you can pass a duration to role-duration-seconds
. The default session name is GitHubActions, and you can modify it by specifying the desired name in role-session-name
.
Example:
- name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-east-2 role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }} role-duration-seconds: 1200 role-session-name: MySessionName
In this example, the secret AWS_ROLE_TO_ASSUME
contains a string like arn:aws:iam::123456789100:role/role-to-assume
.
The session will have the name “GitHubActions” and be tagged with the following tags: (GITHUB_
environment variable definitions can be found here)
Key | Value |
---|---|
GitHub | “Actions” |
Repository | GITHUB_REPOSITORY |
Workflow | GITHUB_WORKFLOW |
Action | GITHUB_ACTION |
Actor | GITHUB_ACTOR |
Branch | GITHUB_REF |
Commit | GITHUB_SHA |
Note: all tag values must conform to the requirements. Particularly, GITHUB_WORKFLOW
will be truncated if it's too long. If GITHUB_ACTOR
or GITHUB_WORKFLOW
contain invalid charcters, the characters will be replaced with an ‘*’.
This code is made available under the MIT license.