fix: action fails when intending to use existing credentials (#796)

peterwoodworth · kellertk · web-flow · commit 76997ececd8d · 2023-08-24T14:38:12.000-07:00
* fix: action fails when intending to use existing credentials

* fix: action fails when intending to use existing credentials

* fix: action fails when intending to use existing credentials

* fix: action fails when intending to use existing credentials

* fix: action fails when intending to use existing credentials

* fix: action fails when intending to use existing credentials

---------

Co-authored-by: Tom Keller &lt;1083460+kellertk@users.noreply.github.com&gt;
diff --git a/.github/workflows/tests-integ.yml b/.github/workflows/tests-integ.yml
@@ -48,6 +48,28 @@ jobs:
           role-to-assume: ${{ secrets.SECRETS_AWS_ROLE_TO_ASSUME }}
           role-session-name: IntegAccessKeysAssumeRole
           role-external-id: ${{ secrets.SECRETS_AWS_ROLE_EXTERNAL_ID }}
+  integ-access-keys-env:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [[self-hosted, linux-fargate], windows-latest, ubuntu-latest, macos-latest]
+        node: [14, 16, 18]
+    name: Run access key from env integ tests
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 30
+    steps:
+      - name: "Checkout repository"
+        uses: actions/checkout@v3
+      - name: Integ test for access keys
+        uses: ./
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        with:
+          aws-region: us-west-2
+          role-to-assume: ${{ secrets.SECRETS_AWS_ROLE_TO_ASSUME }}
+          role-session-name: IntegAccessKeysAssumeRole
+          role-external-id: ${{ secrets.SECRETS_AWS_ROLE_EXTERNAL_ID }}
   integ-iam-user:
     strategy:
       fail-fast: false
diff --git a/README.md b/README.md
@@ -161,13 +161,15 @@ We recommend using [GitHub's OIDC provider](https://docs.github.com/en/actions/d
 
 The following table describes which method is used based on which values are supplied to the Action:
 
-| **Identity Used**                                               | `aws-access-key-id` | `role-to-assume` | `web-identity-token-file` | `role-chaining` |
-| --------------------------------------------------------------- | ------------------- | ---------------- | ------------------------- | - |
-| [✅ Recommended] Assume Role directly using GitHub OIDC provider |                     | ✔                |                           | |
-| IAM User                                                        | ✔                   |                  |                           | |
-| Assume Role using IAM User credentials                          | ✔                   | ✔                |                           | |
-| Assume Role using WebIdentity Token File credentials            |                     | ✔                | ✔                         | |
-| Assume Role using existing credentials | | ✔ | | ✔ |
+| **Identity Used**                                               | `aws-access-key-id` | `role-to-assume` | `web-identity-token-file` | `role-chaining` | `id-token` permission
+| --------------------------------------------------------------- | ------------------- | ---------------- | ------------------------- | - | - |
+| [✅ Recommended] Assume Role directly using GitHub OIDC provider |                     | ✔                |                           | | ✔ |
+| IAM User                                                        | ✔                   |                  |                           | | |
+| Assume Role using IAM User credentials                          | ✔                   | ✔                |                           | | |
+| Assume Role using WebIdentity Token File credentials            |                     | ✔                | ✔                         | | |
+| Assume Role using existing credentials | | ✔ | | ✔ | |
+
+*Note: `role-chaining` is not necessary to use existing credentials in every use case. If you're getting a "Credentials loaded by the SDK do not match" error, try enabling this prop.
 
 ### Credential Lifetime
 The default session duration is **1 hour**.
diff --git a/dist/index.js b/dist/index.js
diff --git a/src/index.ts b/src/index.ts
@@ -78,7 +78,8 @@ export async function run() {
         !roleChaining
       ) {
         core.info(
-          'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?'
+          'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission? ' +
+            'If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.'
         );
       }
       return (
@@ -127,11 +128,15 @@ export async function run() {
       // the source credentials to already be masked as secrets
       // in any error messages.
       exportCredentials({ AccessKeyId, SecretAccessKey, SessionToken });
-    } else if (!webIdentityTokenFile && !roleChaining) {
+    } else if (
+      !webIdentityTokenFile &&
+      !roleChaining &&
+      !(process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])
+    ) {
       throw new Error('Could not determine how to assume credentials. Please check your inputs and try again.');
     }
 
-    if (AccessKeyId || roleChaining) {
+    if (AccessKeyId || roleChaining || (process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) {
       // Validate that the SDK can actually pick up credentials.
       // This validates cases where this action is using existing environment credentials,
       // and cases where the user intended to provide input credentials but the secrets inputs resolved to empty strings.
diff --git a/test/index.test.ts b/test/index.test.ts
@@ -519,13 +519,33 @@ describe('Configure AWS Credentials', () => {
     await run();
 
     expect(core.info).toHaveBeenCalledWith(
-      'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?'
+      'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?' +
+        ' If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.'
     );
     expect(core.setFailed).toHaveBeenCalledWith(
       'Could not determine how to assume credentials. Please check your inputs and try again.'
     );
   });
 
+  test('Assume role with existing credentials if nothing else set', async () => {
+    process.env['AWS_ACCESS_KEY_ID'] = FAKE_ACCESS_KEY_ID;
+    process.env['AWS_SECRET_ACCESS_KEY'] = FAKE_SECRET_ACCESS_KEY;
+    jest.spyOn(core, 'getInput').mockImplementation(
+      mockGetInput({
+        'role-to-assume': ROLE_ARN,
+        'aws-region': FAKE_REGION,
+      })
+    );
+
+    await run();
+
+    expect(core.info).toHaveBeenCalledWith(
+      'It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission?' +
+        ' If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.'
+    );
+    expect(mockedSTS.commandCalls(AssumeRoleCommand).length).toEqual(1);
+  });
+
   test('role assumption fails after maximum trials using OIDC provider', async () => {
     process.env['GITHUB_ACTIONS'] = 'true';
     process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = 'test-token';
