diff --git a/.github/workflows/tests-integ.yml b/.github/workflows/tests-integ.yml index 84dd38466..722bbeef3 100644 --- a/.github/workflows/tests-integ.yml +++ b/.github/workflows/tests-integ.yml @@ -1,4 +1,4 @@ -name: Run tests +name: Run Integ tests on: workflow_dispatch: @@ -27,6 +27,33 @@ jobs: role-duration-seconds: 900 role-session-name: IntegOidcAssumeRole role-external-id: ${{ secrets.SECRETS_OIDC_AWS_ROLE_EXTERNAL_ID }} + integ-oidc-env: + permissions: + contents: read + id-token: write + strategy: + fail-fast: false + matrix: + os: [[self-hosted, linux-fargate], windows-latest, ubuntu-latest, macos-latest] + node: [14, 16, 18] + name: Run OIDC integ tests with existing invalid env vars + runs-on: ${{ matrix.os }} + env: + AWS_ACCESS_KEY_ID: dummyaccesskeyid + AWS_SECRET_ACCESS_KEY: dummysecretkey + AWS_SESSION_TOKEN: dummytoken + timeout-minutes: 30 + steps: + - name: "Checkout repository" + uses: actions/checkout@v3 + - name: Integ test for OIDC + uses: ./ + with: + aws-region: us-west-2 + role-to-assume: ${{ secrets.SECRETS_OIDC_AWS_ROLE_TO_ASSUME }} + role-duration-seconds: 900 + role-session-name: IntegOidcAssumeRole + role-external-id: ${{ secrets.SECRETS_OIDC_AWS_ROLE_EXTERNAL_ID }} integ-access-keys: strategy: fail-fast: false diff --git a/dist/index.js b/dist/index.js index 660921077..a0c7c39a6 100644 --- a/dist/index.js +++ b/dist/index.js @@ -520,12 +520,12 @@ async function run() { // in any error messages. (0, helpers_1.exportCredentials)({ AccessKeyId, SecretAccessKey, SessionToken }); } - else if (!webIdentityTokenFile && - !roleChaining && - !(process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) { - throw new Error('Could not determine how to assume credentials. Please check your inputs and try again.'); + else if (!webIdentityTokenFile && !roleChaining) { + // Proceed only if credentials can be picked up + await credentialsClient.validateCredentials(); + sourceAccountId = await (0, helpers_1.exportAccountId)(credentialsClient, maskAccountId); } - if (AccessKeyId || roleChaining || (process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) { + if (AccessKeyId || roleChaining) { // Validate that the SDK can actually pick up credentials. // This validates cases where this action is using existing environment credentials, // and cases where the user intended to provide input credentials but the secrets inputs resolved to empty strings. diff --git a/src/index.ts b/src/index.ts index cc24be861..da296c70c 100644 --- a/src/index.ts +++ b/src/index.ts @@ -128,15 +128,13 @@ export async function run() { // the source credentials to already be masked as secrets // in any error messages. exportCredentials({ AccessKeyId, SecretAccessKey, SessionToken }); - } else if ( - !webIdentityTokenFile && - !roleChaining && - !(process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY']) - ) { - throw new Error('Could not determine how to assume credentials. Please check your inputs and try again.'); + } else if (!webIdentityTokenFile && !roleChaining) { + // Proceed only if credentials can be picked up + await credentialsClient.validateCredentials(); + sourceAccountId = await exportAccountId(credentialsClient, maskAccountId); } - if (AccessKeyId || roleChaining || (process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) { + if (AccessKeyId || roleChaining) { // Validate that the SDK can actually pick up credentials. // This validates cases where this action is using existing environment credentials, // and cases where the user intended to provide input credentials but the secrets inputs resolved to empty strings. diff --git a/test/index.test.ts b/test/index.test.ts index ccb6fc42f..42fad855f 100644 --- a/test/index.test.ts +++ b/test/index.test.ts @@ -202,7 +202,7 @@ describe('Configure AWS Credentials', () => { await run(); expect(core.setFailed).toHaveBeenCalledWith( - 'Could not determine how to assume credentials. Please check your inputs and try again.' + 'Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers' ); }); @@ -217,7 +217,7 @@ describe('Configure AWS Credentials', () => { await run(); expect(core.setFailed).toHaveBeenCalledWith( - 'Could not determine how to assume credentials. Please check your inputs and try again.' + 'Credentials could not be loaded, please check your action inputs: Access key ID empty after loading credentials' ); }); @@ -508,6 +508,7 @@ describe('Configure AWS Credentials', () => { }); test('GH OIDC check fails if token is not set', async () => { + (fromEnv as jest.Mock).mockReset(); process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = undefined; process.env['GITHUB_ACTIONS'] = 'true'; jest.spyOn(core, 'getInput').mockImplementation( @@ -524,7 +525,7 @@ describe('Configure AWS Credentials', () => { ' If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.' ); expect(core.setFailed).toHaveBeenCalledWith( - 'Could not determine how to assume credentials. Please check your inputs and try again.' + 'Credentials could not be loaded, please check your action inputs: provider is not a function' ); });