search

aws-actions / aws-codebuild-run-build

Run an AWS CodeBuild project as a step in a GitHub Actions workflow job.
https://aws.amazon.com/codebuild
Apache License 2.0
275 stars 140 forks source link

Credential problem for usecase of Github Actions OIDC federated IAM Role #74

Closed takaaki-inada closed 3 years ago

takaaki-inada commented 3 years ago

This article AWS federation comes to GitHub Actions explains we can use OIDC federated IAM Role in github actions workflow.

But now I got this error with aws-actions/aws-codebuild-run-build@v1.

Error: No credentials. Try adding @aws-actions/configure-aws-credentials earlier in your job to set up AWS credentials.

Simply comment out this assert, it works well. https://github.com/aws-actions/aws-codebuild-run-build/blob/8945a85e94fd346070a0d8a28da303dbdd80b4bf/code-build.js#L228_L230

 assert(
    codeBuild.config.credentials && cloudWatchLogs.config.credentials,
    "No credentials. Try adding @aws-actions/configure-aws-credentials earlier in your job to set up AWS credentials."
  );

so for the moment I suggest just log this not assert but warning.

celliott commented 3 years ago

Here is a workaround until this issue is addressed. Not super clean but it does get sts creds with assume-role-with-web-identity and works with aws-codebuild-run-build. I followed the same post AWS federation comes to GitHub Actions for setting up my OIDC provider and IAM role with federated trust policy. Although, I used Terraform instead of CloudFormation.

- name: Get AWS Credentials Using OIDC
  id: aws_sts_creds
  run: |
    export AWS_ROLE_ARN=arn:aws:iam::0123456789012:role/ExampleGithubRole
    export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/awscreds
    export AWS_DEFAULT_REGION=us-east-1

    curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE

    aws sts assume-role-with-web-identity \
      --role-arn $AWS_ROLE_ARN \
      --role-session-name github-actions \
      --web-identity-token file://$AWS_WEB_IDENTITY_TOKEN_FILE \
      --duration-seconds 1000 > /tmp/aws-creds

    export AWS_ACCESS_KEY_ID="$(cat /tmp/aws-creds | jq -r ".Credentials.AccessKeyId")"
    export AWS_SECRET_ACCESS_KEY="$(cat /tmp/aws-creds | jq -r ".Credentials.SecretAccessKey")"
    export AWS_SESSION_TOKEN="$(cat /tmp/aws-creds | jq -r ".Credentials.SessionToken")"

    echo ::add-mask::$AWS_ACCESS_KEY_ID
    echo ::add-mask::$AWS_SECRET_ACCESS_KEY
    echo ::add-mask::$AWS_SESSION_TOKEN

    echo ::set-output name=aws_access_key_id::$AWS_ACCESS_KEY_ID
    echo ::set-output name=aws_secret_access_key::$AWS_SECRET_ACCESS_KEY
    echo ::set-output name=aws_session_token::$AWS_SESSION_TOKEN
    echo ::set-output name=aws_default_region::$AWS_DEFAULT_REGION

- name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-access-key-id: ${{ steps.aws_sts_creds.outputs.aws_access_key_id }}
    aws-secret-access-key: ${{ steps.aws_sts_creds.outputs.aws_secret_access_key }}
    aws-session-token: ${{ steps.aws_sts_creds.outputs.aws_session_token }}
    aws-region: ${{ steps.aws_sts_creds.outputs.aws_default_region }}
takaaki-inada commented 3 years ago

@celliott
Thank you for this workaround helping us a lot! terraform nice. I used too.

celliott commented 3 years ago

@takaaki-inada I'm glad to help. I spent a little more time today and found a much cleaner way to use oidc to get sts aws creds. This has been tested with aws-actions/aws-codebuild-run-build@v1.0.4

name: GitHub Action AWS OIDC STS Creds
on:
  workflow_dispatch: {}
  pull_request: {}
concurrency: ${{ github.repository }}-github-action
env:
  AWS_ROLE_ARN: arn:aws:iam::0123456789012:role/ExampleGithubRole
  AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/awstoken
  AWS_REGION: us-east-1
jobs:
  plan:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Set Environment Variables
        run: echo "REPO_NAME=${GITHUB_REPOSITORY#*\/}" >> $GITHUB_ENV
      - name: Get AWS Credentials Using OIDC
        run: |
          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@master
        with:
          aws-region: ${{ env.AWS_REGION }}
          web-identity-token-file: ${{ env.AWS_WEB_IDENTITY_TOKEN_FILE }}
          role-to-assume: ${{ env.AWS_ROLE_ARN }}
          role-duration-seconds: 1800
          role-session-name: ${{ env.REPO_NAME }}-github-action
      - name: AWS Get Caller Identity
        run: aws sts get-caller-identity
takaaki-inada commented 3 years ago

@celliott Simple! LGTM I learned "aws-actions/configure-aws-credentials" supports web-identity-token-file.

celliott commented 3 years ago

@takaaki-inada web-identity-token-file hasn't been released in a version yet. Please note that the action is this example is pinned to master in this example.