Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Overwrite the aws config instead of appending #17

Closed
wants to merge 4 commits into from
Closed

Overwrite the aws config instead of appending #17

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3c9e28f
Overwrite the aws config instead of appending
rdinardi-bw Jun 29, 2021
3a30af6
provide an optional aws_profile option to the action
rdinardi-bw Jun 30, 2021
3fe0ab8
telling the github env where the aws configuration is and setting the…
rdinardi-bw Jun 30, 2021
e9cf5cf
reverting back to overwriting the config and updating the readme
rdinardi-bw Jul 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
33 changes: 32 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ Obtain temporary AWS Creds from your Okta Profile.

## Usage

Here's an example. All options are required except `okta_mfa_method` which default to TOTP based notification.
Here's an example. All options are required except:
- `aws_profile` defaults to 'default'
- `okta_mfa_method` which default to TOTP based notification.

```yaml
- name: Create AWS profile
Expand All @@ -27,6 +29,35 @@ AWS_SESSION_TOKEN: ***

It also masks the actual values in the logs for added security.


You can create multiple profiles by using this action multiple times and specifying `aws_profile` for each like such:
```yaml
- name: Create First AWS profile
uses: mrchief/aws-creds-okta@master
with:
aws_profile: first-profile
aws_role_arn: arn:aws:iam::account-id:role/role-name
okta_username: [email protected]
okta_password: ${{ secrets.OKTA_PASSWORD }}
okta_app_url: https://mycompany.okta.com/home/amazon_aws/1234567890abcdefghij/123
okta_mfa_seed: ${{ secrets.OKTA_MFA_SEED }}

- name: Create Second AWS profile
uses: mrchief/aws-creds-okta@master
with:
aws_profile: second-profile
aws_role_arn: arn:aws:iam::account-id:role/role-name
okta_username: [email protected]
okta_password: ${{ secrets.OKTA_PASSWORD }}
okta_app_url: https://mycompany.okta.com/home/amazon_aws/1234567890abcdefghij/123
okta_mfa_seed: ${{ secrets.OKTA_MFA_SEED }}

- name: Run AWS Commands as Different Profiles
run: |
aws sts get-caller-identity --profile first-profile
aws sts get-caller-identity --profile second-profile
```

### 💡 Note

- Currently only supports `totp` authentication. There are plans to add support for other MFA methods. PRs welcome.
Expand Down
4 changes: 4 additions & 0 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ inputs:
aws_role_arn:
description: "ARN of federated Okta role"
required: true
aws_profile:
description: "The AWS profile to configure"
required: false
default: "default"
okta_username:
description: "Username of your Okta login (usually your email)"
required: true
Expand Down
4 changes: 2 additions & 2 deletions entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,15 @@ config="${awsDir}/config"
credentials="${awsDir}/credentials"

mkdir -p "${awsDir}"
echo -e "[profile default]\noutput = json" >>"$config"
echo -e "[profile $INPUT_AWS_PROFILE]\noutput = json" >>"$config"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we may have to do something like

Suggested change
echo -e "[profile $INPUT_AWS_PROFILE]\noutput = json" >>"$config"
echo -e "[profile ${INPUT_AWS_PROFILE:-default}]\noutput = json" >>"$config"

but if you have tested it to be working fine, then we're good.


# Attempt to get aws credentials via tokendito
max_attempts=10
totp_time=30
totp_error='Each code can only be used once. Please wait for a new code and try again.'
for ((attempts = 1; attempts <= $max_attempts; attempts++)); do
echo "Requesting AWS credentials via Tokendito."
t_error=$(tokendito --aws-profile default -ou $INPUT_OKTA_APP_URL -R $INPUT_AWS_ROLE_ARN --username $INPUT_OKTA_USERNAME --password $INPUT_OKTA_PASSWORD --mfa-method ${INPUT_OKTA_MFA_METHOD:=token:software:totp} --mfa-response $(echo $INPUT_OKTA_MFA_SEED | mintotp ${totp_time}) 2>&1 1>/dev/null)
t_error=$(tokendito --aws-profile $INPUT_AWS_PROFILE -ou $INPUT_OKTA_APP_URL -R $INPUT_AWS_ROLE_ARN --username $INPUT_OKTA_USERNAME --password $INPUT_OKTA_PASSWORD --mfa-method ${INPUT_OKTA_MFA_METHOD:=token:software:totp} --mfa-response $(echo $INPUT_OKTA_MFA_SEED | mintotp ${totp_time}) 2>&1 1>/dev/null)

if [[ $? == 0 ]]; then
echo "Succeeded getting credentials in attempt #${attempts}."
Expand Down