search

aws-actions / configure-aws-credentials

Configure AWS credential environment variables for use in other GitHub Actions.
MIT License
2.43k stars 466 forks source link

Provide ARN of authenticated principal as output #1062

Open tsibley opened 4 months ago

tsibley commented 4 months ago

Describe the feature

Similar to how the account id of the authenticated principal is set:

https://github.com/aws-actions/configure-aws-credentials/blob/ffc9011218e7227b402bc4cc49b703e8a3121c0f/src/helpers.ts#L57-L70

it would be nice to have the ARN as well (e.g. from the same STS.GetCallerIdentity call).

Beyond providing it as an output that the calling workflow can use how it pleases, I'd also like to see the ARN output to logs by default, but I understand there are privacy/security implications to consider there.

Use Case

It's very useful to be able to expose the ARN to logs or for debugging/troubleshooting. Even this GitHub Action's README includes

aws sts get-caller-identity

in examples. :-)

Proposed Solution

No response

Other Information

No response

Acknowledgements

tim-finnigan commented 2 months ago

Thanks for the feature request. I recognize the value here, but yes there are security implications to consider like you said.