Merge pull request #13 from chetan/feature/aws_oidc

feature/aws OIDC - fixes #12
chetan · Jan 28, 2022 · 74a68bb · 74a68bb
2 parents fd83731 + 0f60766
commit 74a68bb
Show file tree

Hide file tree

Showing 5 changed files with 125 additions and 14 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -1,5 +1,9 @@
 name: "Test Suite"
 
+permissions:
+  id-token: write
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
@@ -72,3 +76,17 @@ jobs:
           AWS_REGION: "us-east-1"
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-session-name: TestSessionName
+          aws-region: "us-east-1"
+
+      - name: invalidate PATHS using oidc creds
+        uses: ./
+        env:
+          DEBUG: "1"
+          PATHS: /robots* /index.html
+          DISTRIBUTION: ${{ secrets.DISTRIBUTION }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Invalidate AWS CloudFront Action Changelog
 
+## v2.3
+
+### Fixes
+
+- support for AWS credentials via OIDC ([#12](https://github.com/chetan/invalidate-cloudfront-action/issues/12))
+
 ## v2.2
 
 ### Fixes

diff --git a/README.md b/README.md
@@ -81,9 +81,38 @@ Example workflow steps:
     AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 ```
 
+### AWS Credentials
+
+The recommended way to pass AWS credentials to your GitHub actions is to use
+[OpenID
+Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services).
+
+Once configured, you can use the
+[aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials)
+action to properly authentication and supply AWS credentials to subsequent steps
+in your workflow.
+
+Note that your workflow will need the following permission when using OIDC:
+
+```yaml
+permissions:
+  id-token: write
+```
+
+For a complete example, see the [workflow](./.github/workflows/tests.yml) in
+this repository.
+
+Also note that if you using the CloudFormation template from the aws repo above,
+the 'thumbprint' shown in the example is out of date. I've included a [working
+template](./docs/github-oidc.yaml) complete with the below IAM policy that
+should work out of the box (as of 2022-01-27).
+
+As an alternative, you may directly pass an access/secret key pair. See the
+config section above.
+
 ### AWS IAM Policy
 
-In order to use this action, you will need to supply an access key pair which has, at minimum, the following permission:
+In order to use this action, you will need to supply credentials which have, at minimum, the following permission:
 
 ```json
 {
@@ -93,14 +122,12 @@ In order to use this action, you will need to supply an access key pair which ha
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": "cloudfront:CreateInvalidation",
-            "Resource": "arn:aws:cloudfront::<account id>:distribution/*"
+            "Resource": "arn:aws:cloudfront::<account id>:distribution/<distribution ID>"
         }
     ]
 }
 ```
 
-Note that cloudfront [does not support resource-level permissions](https://stackoverflow.com/a/44373795/1777780).
-
 ## Self-hosted runners
 
 A note regarding [self-hosted

diff --git a/docs/github-oidc.yaml b/docs/github-oidc.yaml
@@ -0,0 +1,56 @@
+Parameters:
+  GitHubOrg:
+    Type: String
+  RepositoryName:
+    Type: String
+  CloudfrontDistributionArn:
+    Type: String
+  OIDCProviderArn:
+    Description: Arn for the GitHub OIDC Provider.
+    Default: ""
+    Type: String
+
+Conditions:
+  CreateOIDCProvider: !Equals
+    - !Ref OIDCProviderArn
+    - ""
+
+Resources:
+  Role:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRoleWithWebIdentity
+            Principal:
+              Federated: !If
+                - CreateOIDCProvider
+                - !Ref GithubOidc
+                - !Ref OIDCProviderArn
+            Condition:
+              StringLike:
+                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
+      Policies:
+        - PolicyName: InvalidateCloudfrontOnly
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action: 'cloudfront:CreateInvalidation'
+                Resource: !Ref CloudfrontDistributionArn
+
+  GithubOidc:
+    Type: AWS::IAM::OIDCProvider
+    Condition: CreateOIDCProvider
+    Properties:
+      Url: https://token.actions.githubusercontent.com
+      ClientIdList:
+        - sts.amazonaws.com
+      ThumbprintList:
+        - a031c46782e6e6c662c2c87c76da9aa62ccabd8e
+        - 6938fd4d98bab03faadb97b34396831e3780aea1
+
+Outputs:
+  Role:
+    Value: !GetAtt Role.Arn
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -37,15 +37,19 @@ fi
 
 # run
 
-# Create a dedicated profile for this action to avoid
-# conflicts with other actions.
-# https://github.com/jakejarvis/s3-sync-action/issues/1
-aws configure --profile invalidate-cloudfront-action <<-EOF > /dev/null 2>&1
-${AWS_ACCESS_KEY_ID}
-${AWS_SECRET_ACCESS_KEY}
-${AWS_REGION}
-text
+if [[ -z "$AWS_SESSION_TOKEN" ]]; then
+  # AWS_SESSION_TOKEN will be set when using OIDC creds
+  # Create a dedicated profile for this action to avoid
+  # conflicts with other actions.
+  # https://github.com/jakejarvis/s3-sync-action/issues/1
+  _aws_profile="--profile invalidate-cloudfront-action"
+  aws configure $_aws_profile <<-EOF > /dev/null 2>&1
+  ${AWS_ACCESS_KEY_ID}
+  ${AWS_SECRET_ACCESS_KEY}
+  ${AWS_REGION}
+  text
 EOF
+fi
 
 # Set it here to avoid logging keys/secrets
 if [ "$DEBUG" = "1" ]; then
@@ -63,7 +67,7 @@ if  [[ ! -x "$(command -v $jq)" || "$($jq --version)" != "jq-1.6" ]]; then
   fi
   if [[ -n "$jqbin" ]]; then
     jq="/usr/local/bin/jq16"
-    wget -O $jq https://github.com/stedolan/jq/releases/download/jq-1.6/$jqbin
+    wget -nv -O $jq https://github.com/stedolan/jq/releases/download/jq-1.6/$jqbin
     chmod 755 $jq
   fi
 fi
@@ -101,7 +105,7 @@ fi
 # Use our dedicated profile and suppress verbose messages.
 # Support v1.x of the awscli which does not have this flag
 [[ "$(aws --version)" =~ "cli/2" ]] && pagerflag="--no-cli-pager"
-aws $pagerflag --profile invalidate-cloudfront-action \
+aws $pagerflag $_aws_profile \
   cloudfront create-invalidation \
   --distribution-id "$DISTRIBUTION" \
   --cli-input-json "file://${RUNNER_TEMP}/invalidation-batch.json"