fix: fixed logic to determine if long-term credentials is used #904
Conversation
|
However, this fix doesn't cover all cases. For example, the warning is not displayed when using IAM User as shown below. - name: Setup aws credentials
uses: aws-actions/[email protected]
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ap-northeast-1To cover these, it is necessary to make sure that no other inputs are set in more upstream functions. Like this configure-aws-credentials/src/index.ts Lines 73 to 93 in a4d9254 |
| @@ -874,6 +874,8 @@ describe('Configure AWS Credentials', () => { | |||
|
|
|||
| test('prints warning for access key usage and no session token', async () => { | |||
| jest.spyOn(core, 'getInput').mockImplementation(mockGetInput(ASSUME_ROLE_INPUTS)); | |||
| process.env['AWS_ACCESS_KEY_ID'] = FAKE_ACCESS_KEY_ID; | |||
There was a problem hiding this comment.
We should also have another test without these lines you've added to verify that the warning does NOT throw
There was a problem hiding this comment.
Thank you for your review! I added test check doesn't show warning when using STS access key.
3e570a9
|
We could also validate the prefix of the access key per https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids |
+1 |
src/assumeRole.ts
Outdated
| // IAM access key starts with 'AKIA' prefix. | ||
| // https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids | ||
| if (accessKey) { | ||
| if (accessKey.startsWith('AKIA')) { |
There was a problem hiding this comment.
Combine these into one condition separated by &&?
There was a problem hiding this comment.
I’d also define AKIA as a constant up above with the link to the documentation.
There was a problem hiding this comment.
|
Brilliant @jplock, that's a fantastic solution. Thank you both very much for working on this and bringing a solution to the table 🙂 Not a requirement at all, feel free to disagree with this slight nit, I think I would redefine the const as an all caps const at the top of the file, just below the imports. Other than that I think this looks perfect. I'm not a maintainer here anymore, so I cannot give approval, but I'm sure the current maintainers will have time to take a look relatively soon |
|
+1 I agree with that (constants should be in all caps and defined near the top outside of the function). |
|
Thank you @jplock and @peterwoodworth! |
|
@tim-finnigan would you be able to review this PR please? |
|
Thanks for creating this PR! I think we want to be careful about hard coding prefixes that could change, or may not apply to every intended scenario. But the changes here are probably fine. We are planning to discuss this PR further this week, and will likely also want to confirm our thinking with someone from the IAM team before approving this. |
|
Hi @tim-finnigan, Do you have any update? |
|
Hi @ponkio-o thanks for your patience. We discussed this topic further as a team and decided to remove the warning. There are more details in this PR: #926. Thanks again for working on this PR. While I think the changes here are an improvement to the existing warning conditions, we are hesitant to specify hard-coded IAM prefixes that could also change in the future. |
|
@tim-finnigan So, I will close this PR. |
*Issue #885
Description of changes:
The current logic looks to see if
AWS_SESSION_TOKENis present, which is causing unnecessary warnings when using a self-hosted runner with EC2 instance profile.Since this warning is originally issued when only
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYare set, I fixed the logic to determine.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.