Merge branch 'main' into contri

Author: kellertk

.github/workflows/tests-integ.yml

@@ -48,6 +48,28 @@ jobs:
           role-to-assume: ${{ secrets.SECRETS_AWS_ROLE_TO_ASSUME }}
           role-session-name: IntegAccessKeysAssumeRole
           role-external-id: ${{ secrets.SECRETS_AWS_ROLE_EXTERNAL_ID }}
+  integ-access-keys-env:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [[self-hosted, linux-fargate], windows-latest, ubuntu-latest, macos-latest]
+        node: [14, 16, 18]
+    name: Run access key from env integ tests
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 30
+    steps:
+      - name: "Checkout repository"
+        uses: actions/checkout@v3
+      - name: Integ test for access keys
+        uses: ./
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        with:
+          aws-region: us-west-2
+          role-to-assume: ${{ secrets.SECRETS_AWS_ROLE_TO_ASSUME }}
+          role-session-name: IntegAccessKeysAssumeRole
+          role-external-id: ${{ secrets.SECRETS_AWS_ROLE_EXTERNAL_ID }}
   integ-iam-user:
     strategy:
       fail-fast: false

README.md

@@ -161,13 +161,15 @@ We recommend using [GitHub's OIDC provider](https://docs.github.com/en/actions/d
 
 The following table describes which method is used based on which values are supplied to the Action:
 
-| **Identity Used**                                               | `aws-access-key-id` | `role-to-assume` | `web-identity-token-file` | `role-chaining` |
-| --------------------------------------------------------------- | ------------------- | ---------------- | ------------------------- | - |
-| [✅ Recommended] Assume Role directly using GitHub OIDC provider |                     | ✔                |                           | |
-| IAM User                                                        | ✔                   |                  |                           | |
-| Assume Role using IAM User credentials                          | ✔                   | ✔                |                           | |
-| Assume Role using WebIdentity Token File credentials            |                     | ✔                | ✔                         | |
-| Assume Role using existing credentials | | ✔ | | ✔ |
+| **Identity Used**                                               | `aws-access-key-id` | `role-to-assume` | `web-identity-token-file` | `role-chaining` | `id-token` permission
+| --------------------------------------------------------------- | ------------------- | ---------------- | ------------------------- | - | - |
+| [✅ Recommended] Assume Role directly using GitHub OIDC provider |                     | ✔                |                           | | ✔ |
+| IAM User                                                        | ✔                   |                  |                           | | |
+| Assume Role using IAM User credentials                          | ✔                   | ✔                |                           | | |
+| Assume Role using WebIdentity Token File credentials            |                     | ✔                | ✔                         | | |
+| Assume Role using existing credentials | | ✔ | | ✔ | |
+
+*Note: `role-chaining` is not necessary to use existing credentials in every use case. If you're getting a "Credentials loaded by the SDK do not match" error, try enabling this prop.
 
 ### Credential Lifetime
 The default session duration is **1 hour**.
@@ -268,6 +270,15 @@ Your account ID is not masked by default in workflow logs since it's not conside
 #### Unset current credentials
 Sometimes, existing credentials in your runner can get in the way of the intended outcome, and the recommended solution is to include another step in your workflow which unsets the environment variables set by this action. Now if you set the `unset-current-credentials` input to `true`, the workaround is made eaiser
 
+#### Special characters in AWS_SECRET_ACCESS_KEY
+Some edge cases are unable to properly parse an `AWS_SECRET_ACCESS_KEY` if it
+contains special characters. For more information, please see the
+[AWS CLI documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-signature-does-not-match).
+If you set the `special-characters-workaround` option, this action will
+continually retry fetching credentials until we get one that does not have
+special characters. This option overrides the `disable-retry` and
+`retry-max-attempts` options.
+
 ## OIDC
 
 We recommend using [GitHub's OIDC provider](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) to get short-lived AWS credentials needed for your actions. When using OIDC, this action will create a JWT unique to the workflow run, and it will use this JWT to assume the role. For this action to create the JWT, it is required for your workflow to have the `id-token: write` permission:

action.yml

@@ -70,6 +70,9 @@ inputs:
   retry-max-attempts:
     description: The maximum number of attempts it will attempt to retry the assume role call. By default it will retry 12 times
     required: false
+  special-characters-workaround:
+    description: Some environments do not support special characters in AWS_SECRET_ACCESS_KEY. This option will retry fetching credentials until the secret access key does not contain special characters. This option overrides disable-retry and retry-max-attempts. This option is disabled by default
+    required: false
 outputs:
   aws-account-id:
     description: The AWS account ID for the provided credentials

dist/cleanup/index.js

@@ -5,7 +5,7 @@ import * as core from '@actions/core';
 import type { AssumeRoleCommandInput, STSClient, Tag } from '@aws-sdk/client-sts';
 import { AssumeRoleCommand, AssumeRoleWithWebIdentityCommand } from '@aws-sdk/client-sts';
 import type { CredentialsClient } from './CredentialsClient';
-import { errorMessage, isDefined, sanitizeGitHubVariables, verifyKeys } from './helpers';
+import { errorMessage, isDefined, sanitizeGitHubVariables } from './helpers';
 
 async function assumeRoleWithOIDC(params: AssumeRoleCommandInput, client: STSClient, webIdentityToken: string) {
   delete params.Tags;
@@ -17,7 +17,6 @@ async function assumeRoleWithOIDC(params: AssumeRoleCommandInput, client: STSCli
         WebIdentityToken: webIdentityToken,
       })
     );
-    verifyKeys(creds.Credentials);
     return creds;
   } catch (error) {
     throw new Error(`Could not assume role with OIDC: ${errorMessage(error)}`);
@@ -49,7 +48,6 @@ async function assumeRoleWithWebIdentityTokenFile(
         WebIdentityToken: webIdentityToken,
       })
     );
-    verifyKeys(creds.Credentials);
     return creds;
   } catch (error) {
     throw new Error(`Could not assume role with web identity token file: ${errorMessage(error)}`);
@@ -60,7 +58,6 @@ async function assumeRoleWithCredentials(params: AssumeRoleCommandInput, client:
   core.info('Assuming role with user credentials');
   try {
     const creds = await client.send(new AssumeRoleCommand({ ...params }));
-    verifyKeys(creds.Credentials);
     return creds;
   } catch (error) {
     throw new Error(`Could not assume role with user credentials: ${errorMessage(error)}`);

dist/cleanup/src/helpers.d.ts

@@ -93,18 +93,21 @@ export function reset() {
 
 export function verifyKeys(creds: Partial<Credentials> | undefined) {
   if (!creds) {
-    return;
+    return false;
   }
   if (creds.AccessKeyId) {
     if (SPECIAL_CHARS_REGEX.test(creds.AccessKeyId)) {
-      throw new Error('AccessKeyId contains special characters.');
+      core.debug('AccessKeyId contains special characters.');
+      return false;
     }
   }
   if (creds.SecretAccessKey) {
     if (SPECIAL_CHARS_REGEX.test(creds.SecretAccessKey)) {
-      throw new Error('SecretAccessKey contains special characters.');
+      core.debug('SecretAccessKey contains special characters.');
+      return false;
     }
   }
+  return true;
 }
 
 // Retries the promise with exponential backoff if the error isRetryable up to maxRetries time.