fix: throws error when invalid credentials are present despite not wa…

…nting to use them
aws-actions · Aug 31, 2023 · 8ff265e · 8ff265e
1 parent ac71d77
commit 8ff265e
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 13 deletions.
diff --git a/.github/workflows/tests-integ.yml b/.github/workflows/tests-integ.yml
@@ -1,4 +1,4 @@
-name: Run tests
+name: Run Integ tests
 
 on:
   workflow_dispatch:
@@ -27,6 +27,33 @@ jobs:
           role-duration-seconds: 900
           role-session-name: IntegOidcAssumeRole
           role-external-id: ${{ secrets.SECRETS_OIDC_AWS_ROLE_EXTERNAL_ID }}
+  integ-oidc-env:
+    permissions:
+      contents: read
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [[self-hosted, linux-fargate], windows-latest, ubuntu-latest, macos-latest]
+        node: [14, 16, 18]
+    name: Run OIDC integ tests with existing invalid env vars
+    runs-on: ${{ matrix.os }}
+    env:
+      AWS_ACCESS_KEY_ID: dummyaccesskeyid
+      AWS_SECRET_ACCESS_KEY: dummysecretkey
+      AWS_SESSION_TOKEN: dummytoken
+    timeout-minutes: 30
+    steps:
+      - name: "Checkout repository"
+        uses: actions/checkout@v3
+      - name: Integ test for OIDC
+        uses: ./
+        with:
+          aws-region: us-west-2
+          role-to-assume: ${{ secrets.SECRETS_OIDC_AWS_ROLE_TO_ASSUME }}
+          role-duration-seconds: 900
+          role-session-name: IntegOidcAssumeRole
+          role-external-id: ${{ secrets.SECRETS_OIDC_AWS_ROLE_EXTERNAL_ID }}
   integ-access-keys:
     strategy:
       fail-fast: false

diff --git a/dist/index.js b/dist/index.js
diff --git a/src/index.ts b/src/index.ts
@@ -128,17 +128,13 @@ export async function run() {
       // the source credentials to already be masked as secrets
       // in any error messages.
       exportCredentials({ AccessKeyId, SecretAccessKey, SessionToken });
-    } else if (
-      !webIdentityTokenFile &&
-      !roleChaining &&
-      !(process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])
-    ) {
-      // Proceed if credentials are picked up
+    } else if (!webIdentityTokenFile && !roleChaining) {
+      // Proceed only if credentials can be picked up
       await credentialsClient.validateCredentials();
       sourceAccountId = await exportAccountId(credentialsClient, maskAccountId);
     }
 
-    if (AccessKeyId || roleChaining || (process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) {
+    if (AccessKeyId || roleChaining) {
       // Validate that the SDK can actually pick up credentials.
       // This validates cases where this action is using existing environment credentials,
       // and cases where the user intended to provide input credentials but the secrets inputs resolved to empty strings.