Cannot use IAM Role to deploy

[bdowne01]

If you're assuming roles to deploy your lambdas, which is AWS best practice, this action will not work as it only takes a AWS IAM Key and Secret Key for credentials. The role parameter is only to set the target lambda's execution role.

Adding an option to assume-role for deploys would be great.

[elmurci]

+1

[sssd-dev]

+1

[mbarlund]

+1

[karl-sprig]

Does this not work?

https://github.com/aws-actions/configure-aws-credentials

That action takes an ARN and sets the env-vars so other things don't need to do anything out of the normal AWS api sdk behavior of check/user auth in env-vars

[gegnew]

Does it work? I have been unable to get it to work using configure-aws-credentials.

permissions:
  id-token: write # required to use OIDC authentication
  contents: read # required to checkout the code from the repo

name: deploy to lambda
on: [push]
jobs:
  build:
    name: Build Lambda Functions
    env:
      BUCKET_NAME: s3://org/repo/
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: build functions
        run: ./install.sh

      - name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          role-to-assume: arn:aws:iam::ORG-ID:role/GithubActionsLambdaDeployRole
          role-duration-seconds: 900
          aws-region: us-east-1

      - name: Deploy Lambda to AWS
        # if: github.ref == 'refs/heads/release'
        uses: appleboy/lambda-action@master
        with:
          # gets secrets set in env by `configure-aws-credentials`
          aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
          aws_secret_access_key: ${{ env.AWS_SECRET_ACCESS_KEY }}
          aws_region: ${{ env.AWS_REGION }}
          function_name: lambdaFunctionName
          zip_file: build/lambaFunctionName.zip
          dry_run: true

and the GithubActionsLambdaDeployRole has a policy with these permissions.

But I always get an UnrecognizedClientException

[karl-sprig]

But I always get an UnrecognizedClientException

Did you link GHA to IAM? https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

[bdowne01]

I'm not using this action any longer because of this limitation, but the configure-aws-credentials repo Readme states:

"The environment variables will be detected by both the AWS SDKs and the AWS CLI to determine the credentials and region to use for AWS API calls."

This action appears to be a minor wrapper around two other Go repos: apex/gateway and gin-gonic/gin. I don't code in Go, but it appears apex/gateway does pull in aws/aws-lambda-go... so maybe?

[gegnew]

But I always get an UnrecognizedClientException

Did you link GHA to IAM? docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

Yup. I can use i.e. the AWS CLI after configuring this way; it's only lambda-action that doesn't work, since it doesn't pick up the access key after it's configured by configure-aws-credentials

[mjmayer]

When using configure-aws-credentials@v1 the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN are set. The GitHub action lambda-action has support for the input session_token. However, the go application lambda-action does not. There is a PR open to add support for session_token appleboy/drone-lambda#14 . However, it has not been merged.

[appleboy]

I will take it and already merge in https://github.com/appleboy/drone-lambda/pull/20

[appleboy]

fixed in https://github.com/appleboy/lambda-action/releases/tag/v0.1.6