Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow OIDC instead of keys #12

Closed
exussum12 opened this issue Jan 23, 2022 · 8 comments
Closed

allow OIDC instead of keys #12

exussum12 opened this issue Jan 23, 2022 · 8 comments

Comments

@exussum12
Copy link

Github supports open id connect to get credentials from AWS, This repo rejects anything which does not pass though the AWS creds.

Could OIDC support be added?
@forensicmike
Copy link

@exussum12 thought id let you know that i decided to fork this to see if I could get it working. after gutting a few things, it seems to work by simply removing the parameters. note: i do not recommend pointing to my fork, but you could always do the same until the real one is fixed :)

forensicmike@911f19b

@chetan
Copy link
Owner

chetan commented Jan 27, 2022

Looks good and thanks for experimenting and confirming it works @forensicmike. I'll try to get it implemented as an option soon.

@forensicmike
Copy link

I did a bit more experimenting and wanted to share what I found about how the aws-actions/configure-aws-credentials@v1 action works, which is the recommended way to implement the OIDC connectivity.

it appears that after successfully completing, every step afterwards on that same job will automatically include the following (it shows up in the action runner output):

    AWS_DEFAULT_REGION: ca-central-1
    AWS_REGION: ca-central-1
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_SESSION_TOKEN: ***```

@exussum12
Copy link
Author

@forensicmike yeah I ended up just writing a simple script when I couldn't find a preexisting action

https://github.com/SykesCottages/technology-blog/blob/master/.github/workflows/deploy.yml#L30

Probably needed some docs adding too about adding

permissions:
      id-token: write
      contents: read

Thanks for looking!

@chetan
Copy link
Owner

chetan commented Jan 27, 2022

Great, thanks. Will definitely be easier to leverage that action to set things up.

@forensicmike
Copy link

Yeah, that caught me as well. Also think there needs to be a bit more more fanfare around the need to manually setup the trust policy in AWS lest any repo on Github can assume that role if they possess the role ARN..

@chetan chetan closed this as completed in 74a68bb Jan 28, 2022
@johnmcase
Copy link

@chetan Sorry to revive such and old issue, but why is this marked as completed?

If I'm understanding correctly, this action will still fail if the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY inputs are not supplied:

invalidate-cloudfront-action/entrypoint.sh

Line 19 in c384d5f

if [ -z "$AWS_ACCESS_KEY_ID" ]; then

The fork @forensicmike made removed the checks for those parameters and presumed that the caller had already called the aws-actions/configure-aws-credentials action prior to calling this one.

What am I missing?

@chetan
Copy link
Owner

chetan commented Mar 5, 2024

@johnmcase successfully running the aws-actions/configure-aws-credentials action passes those variables to this action, as documented in the readme.

If you're seeing an issue than you may need to look into the output of that action to see what's going on. You can refer to the readme in this repo and the test action for some more examples.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chetan @johnmcase @exussum12 @forensicmike