Skip to content

Commit

Permalink
fix: validation logic throwing unwanted errors (#818)
Browse files Browse the repository at this point in the history
* fix: throws error even when valid credentials are present

* fix: throws error when invalid credentials are present despite not wanting to use them
  • Loading branch information
peterwoodworth authored Sep 5, 2023
1 parent 6c962b9 commit d78f55b
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 16 deletions.
29 changes: 28 additions & 1 deletion .github/workflows/tests-integ.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Run tests
name: Run Integ tests

on:
workflow_dispatch:
Expand Down Expand Up @@ -27,6 +27,33 @@ jobs:
role-duration-seconds: 900
role-session-name: IntegOidcAssumeRole
role-external-id: ${{ secrets.SECRETS_OIDC_AWS_ROLE_EXTERNAL_ID }}
integ-oidc-env:
permissions:
contents: read
id-token: write
strategy:
fail-fast: false
matrix:
os: [[self-hosted, linux-fargate], windows-latest, ubuntu-latest, macos-latest]
node: [14, 16, 18]
name: Run OIDC integ tests with existing invalid env vars
runs-on: ${{ matrix.os }}
env:
AWS_ACCESS_KEY_ID: dummyaccesskeyid
AWS_SECRET_ACCESS_KEY: dummysecretkey
AWS_SESSION_TOKEN: dummytoken
timeout-minutes: 30
steps:
- name: "Checkout repository"
uses: actions/checkout@v3
- name: Integ test for OIDC
uses: ./
with:
aws-region: us-west-2
role-to-assume: ${{ secrets.SECRETS_OIDC_AWS_ROLE_TO_ASSUME }}
role-duration-seconds: 900
role-session-name: IntegOidcAssumeRole
role-external-id: ${{ secrets.SECRETS_OIDC_AWS_ROLE_EXTERNAL_ID }}
integ-access-keys:
strategy:
fail-fast: false
Expand Down
10 changes: 5 additions & 5 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 5 additions & 7 deletions src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -128,15 +128,13 @@ export async function run() {
// the source credentials to already be masked as secrets
// in any error messages.
exportCredentials({ AccessKeyId, SecretAccessKey, SessionToken });
} else if (
!webIdentityTokenFile &&
!roleChaining &&
!(process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])
) {
throw new Error('Could not determine how to assume credentials. Please check your inputs and try again.');
} else if (!webIdentityTokenFile && !roleChaining) {
// Proceed only if credentials can be picked up
await credentialsClient.validateCredentials();
sourceAccountId = await exportAccountId(credentialsClient, maskAccountId);
}

if (AccessKeyId || roleChaining || (process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) {
if (AccessKeyId || roleChaining) {
// Validate that the SDK can actually pick up credentials.
// This validates cases where this action is using existing environment credentials,
// and cases where the user intended to provide input credentials but the secrets inputs resolved to empty strings.
Expand Down
7 changes: 4 additions & 3 deletions test/index.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,7 @@ describe('Configure AWS Credentials', () => {
await run();

expect(core.setFailed).toHaveBeenCalledWith(
'Could not determine how to assume credentials. Please check your inputs and try again.'
'Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers'
);
});

Expand All @@ -217,7 +217,7 @@ describe('Configure AWS Credentials', () => {
await run();

expect(core.setFailed).toHaveBeenCalledWith(
'Could not determine how to assume credentials. Please check your inputs and try again.'
'Credentials could not be loaded, please check your action inputs: Access key ID empty after loading credentials'
);
});

Expand Down Expand Up @@ -508,6 +508,7 @@ describe('Configure AWS Credentials', () => {
});

test('GH OIDC check fails if token is not set', async () => {
(fromEnv as jest.Mock).mockReset();
process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = undefined;
process.env['GITHUB_ACTIONS'] = 'true';
jest.spyOn(core, 'getInput').mockImplementation(
Expand All @@ -524,7 +525,7 @@ describe('Configure AWS Credentials', () => {
' If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.'
);
expect(core.setFailed).toHaveBeenCalledWith(
'Could not determine how to assume credentials. Please check your inputs and try again.'
'Credentials could not be loaded, please check your action inputs: provider is not a function'
);
});

Expand Down

0 comments on commit d78f55b

Please sign in to comment.