GitHub Action for aws-cli

[clareliguori]

I'm opening this issue to gather feedback about the need for an AWS CLI GitHub Action in the github.com/aws-actions organization. Please use the thumbs-up reaction if this would be useful to you.

For context, GitHub deprecated (and has now deleted) their action actions/aws/cli. That action enabled running workflows like this:

- name: Upload to S3
  uses: actions/aws/cli@master
  with:
    args: s3 cp ./results/ s3://reports/results/ --recursive

Please note that the AWS CLI is pre-installed in the GitHub-hosted environments. For example, runs-on: ubuntu-latest will have AWS CLI version 1.16.299, and you can do the following:

  - name: Upload to S3
    run: |
      aws s3 cp ./results/ s3://reports/results/ --recursive

I do not know how often GitHub will upgrade the version of the AWS CLI in the GitHub-hosted environments.

I have already received multiple requests for an AWS CLI action in the existing action repos that I maintain: https://github.com/aws-actions/configure-aws-credentials/issues/9 https://github.com/aws-actions/amazon-ecs-deploy-task-definition/issues/21 https://github.com/aws-actions/amazon-ecs-deploy-task-definition/issues/18

[tpreusse]

An exemplary usage of aws cli in the configure-aws-credentials readme would have been enough for me. But a separate repo would make it even more obvious, even just with a readme that does a built in run.

[KenBerg75]

Certainly would be helpful for self-hosted scenarios.

[blowfishpro]

You can sorta do this with the aws-cli docker image. That comes with a lot of limitations though, e.g. you're limited to particular directories which actions volume-maps in: /github/home, /github/workspace, /github/workflow

    steps:
      - name: Download File from S3
        uses: docker://amazon/aws-cli:2.0.7
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        with:
          args: s3 cp s3://bucket/key /github/home/downloaded_file

[StacyYang]

Is that possible to use s3 cp in the pull request with github actions? I found the secrets.AWS_ACCESS_KEY_ID does not work for doing pull request from a fork.

Any solution?

[blowfishpro]

You can make the object publicly accessible and then either pass --no-sign-request or download directly by URL without the aws cli.

Really though, this is a broader problem of needing to be able to build against external pull requests but not leak secrets. If secrets were allowed when building against external PRs, someone could submit a PR that either directly did something malicious with your credentials directly or made them accessible such that they could do something with them later. But merging a PR, especially an external one, without running CI is also not desirable. So really there needs to be a way to say "a trusted human has looked at this PR and verified that it doesn't do anything bad, now run CI with secrets". Running only approved PRs might work. None of this is specific to aws-cli on Github Actions, or for that matter any CI provider though.

[thisismydesign]

I was missing the list of all env vars: https://stackoverflow.com/a/63353289/2771889

After figuring that out it's very straightforward to use the CLI in Actions.

[BastianZim]

I would really appreciate it! Even if it's also offered in the GitHub environment I'd feel safer if there's an AWS certified version to use. Just my two cents...

[unfor19]

I've created a GitHub Action that installs the AWS CLI on a Linux runner, according to a given version, so you might find it useful - unfor19/install-aws-cli-action

This is how you use it -

- id: install-aws-cli
  uses: unfor19/install-aws-cli-action@v1
  with:
    version: 1

@BastianZim - I agree with your concern regarding the "official version", the action that I've created doesn't require any credentials, it only installs the CLI.

[sshymko]

For the record, aws-cli-install-action is another AWS CLI action:

- uses: chrislennon/action-aws-cli@v1.1
- run: aws s3 ls
  env:
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

[unfor19]

@sshymko the action that you mentioned is archived :\ This is why I created my action

[bwagner5]

You can sorta do this with the aws-cli docker image. That comes with a lot of limitations though, e.g. you're limited to particular directories which actions volume-maps in: /github/home, /github/workspace, /github/workflow

    steps:
      - name: Download File from S3
        uses: docker://amazon/aws-cli:2.0.7
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        with:
          args: s3 cp s3://bucket/key /github/home/downloaded_file

I tried using the docker work round to get a more up-to-date aws-cli but I need it on Windows as well as Linux and there's not a Windows docker image for the aws-cli (aws-cli is also not published to ecr public yet, so we're at the mercy of dockerhub rate limiting too).

[unfor19]

@bwagner5 just wondering, would you use my action https://github.com/unfor19/install-aws-cli-action if it supported Windows?

The main difference between my action and the others out there - I'm installing the aws-cli on the runner, unlike other actions that run a Docker container that has the aws-cli installed on it.

[BastianZim]

@unfor19 Thanks for the action and your comment, sorry, completely forgot to answer. Having an action that installs an official version is already great but what would help me is, if it's certified by AWS. It's not so much that the software is coming from an AWS source but if the action that I'm using is certified by AWS, I don't need to do a huge write-up for compliance as legal will just accept it since it's from the provider.

So in summary, there is no technical need for an AWS version but a legal one, unfortunately. At least for me...

@clareliguori Is there anything planned on the AWS side since the issue has been open for some time now?

An action to push from GitHub to Lambda would also be great under the same premise, but not sure if there is anything planned there?

[BastianZim]

Also, on a different note, not sure about now but the GitHub action has been stuck at V1 for quite some time...

[kaka-ruto]

Yup @BastianZim , it would be good if the default AWS CLI that comes with ubuntu-latest is updated to V2

[BastianZim]

I actually checked that since then and it seems like it will: https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-README.md

[edbighead]

Implementing this action would be great, especially for self-hosted runners. Currently using some custom action but would really love to see one under https://github.com/aws-actions

[BastianZim]

Sorry everybody but I'm just going to ping some people here because this has been open and stale for some time.

@stobrien89 @kdaily Since you're both active here, do you know if anything here is planned or should this issue be considered closed?

[kdaily]

Hi @BastianZim, not dead, but not currently planned either! I'd personally like to see this out there as well.

[BastianZim]

Hi @kdaily, ok, thanks for the update!

[fhuaddeterminas]

Hi there

Can this thing be kindly created already?

It is very necessary, please!!

[lev875]

Hi! As stated in #6920 updating kubectl from v1.23.6 to 1.24.0 breaks EKS authentication. This can be fixed by either updating the aws cli to the latest version (v2.6.3) or downgrading kubectl to v1.23.6. This problem seems to manifest itself at random, because of inconsistency of aws cli versions across different runners. It would be extremely helpful to have a reliable way of controlling the aws cli version, so we don't have to wait for GitHub to update the aws cli to the latest version on all of their runners or use a crutch like downgrading kubectl to circumvent this issue. Or even worse, have the Actions suddenly brake because GitHub decided to update the aws cli without any warning.