/configure-aws-credentials

Configure AWS credential environment variables for use in other GitHub Actions.

Primary LanguageJavaScriptMIT LicenseMIT

"Configure AWS Credentials" Action For GitHub Actions

Configure AWS credential and region environment variables for use in other GitHub Actions. The environment variables will be detected by both the AWS SDKs and the AWS CLI to determine the credentials and region to use for AWS API calls.

Table of Contents

Usage

Add the following step to your workflow:

    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-2

For example, you can use this action with the AWS CLI available in GitHub's hosted virtual environments. You can also run this action multiple times to use different AWS accounts, regions, or IAM roles in the same GitHub Actions workflow job.

jobs:
  deploy:
    name: Upload to Amazon S3
    runs-on: ubuntu-latest

    steps:
    - name: Checkout
      uses: actions/checkout@v2

    - name: Configure AWS credentials from Test account
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.TEST_AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1

    - name: Copy files to the test website with the AWS CLI
      run: |
        aws s3 sync . s3://my-s3-test-website-bucket

    - name: Configure AWS credentials from Production account
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
        aws-region: us-west-2

    - name: Copy files to the production website with the AWS CLI
      run: |
        aws s3 sync . s3://my-s3-prod-website-bucket

See action.yml for the full documentation for this action's inputs and outputs.

Credentials

We recommend following Amazon IAM best practices for the AWS credentials used in GitHub Actions workflows, including:

  • Do not store credentials in your repository's code. You may use GitHub Actions secrets to store credentials and redact credentials from GitHub Actions workflow logs.
  • Create an individual IAM user with an access key for use in GitHub Actions workflows, preferably one per repository. Do not use the AWS account root user access key.
  • Grant least privilege to the credentials used in GitHub Actions workflows. Grant only the permissions required to perform the actions in your GitHub Actions workflows.
  • Rotate the credentials used in GitHub Actions workflows regularly.
  • Monitor the activity of the credentials used in GitHub Actions workflows.

Assuming a Role

If you would like to use the static credentials you provide to this action to assume a role, you can do so by specifying the role ARN in role-to-assume. The role credentials will then be configured in the Actions environment instead of the static credentials you have provided. The default session duration is 6 hours, but if you would like to adjust this you can pass a duration to role-duration-seconds. The default session name is GitHubActions, and you can modify it by specifying the desired name in role-session-name.

Example:

    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-2
        role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
        role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
        role-duration-seconds: 1200
        role-session-name: MySessionName

In this example, the secret AWS_ROLE_TO_ASSUME contains a string like arn:aws:iam::123456789100:role/my-github-actions-role. To assume a role in the same account as the static credentials, you can simply specify the role name, like role-to-assume: my-github-actions-role.

Permissions for assuming a role

In order to assume a role, the IAM user for the static credentials must have the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ],
            "Resource": "arn:aws:iam::123456789012:role/my-github-actions-role",
            "Effect": "Allow"
        }
    ]
}

The role's trust policy must allow the IAM user to assume the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowIamUserAssumeRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Principal": {"AWS": "arn:aws:iam::123456789012:user/my-github-actions-user"},
            "Condition": {
                "StringEquals": {"sts:ExternalId": "Example987"}
            }
        },
        {
            "Sid": "AllowPassSessionTags",
            "Effect": "Allow",
            "Action": "sts:TagSession",
            "Principal": {"AWS": "arn:aws:iam::123456789012:user/my-github-actions-user"}
        }
    ]
}

Session tagging

The session will have the name "GitHubActions" and be tagged with the following tags: (GITHUB_ environment variable definitions can be found here)

Key Value
GitHub "Actions"
Repository GITHUB_REPOSITORY
Workflow GITHUB_WORKFLOW
Action GITHUB_ACTION
Actor GITHUB_ACTOR
Branch GITHUB_REF
Commit GITHUB_SHA

Note: all tag values must conform to the requirements. Particularly, GITHUB_WORKFLOW will be truncated if it's too long. If GITHUB_ACTOR or GITHUB_WORKFLOW contain invalid charcters, the characters will be replaced with an '*'.

The action will use session tagging by default during role assumption. You can skip this session tagging by providing role-skip-session-tagging as true in the action's inputs:

      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-skip-session-tagging: true

Self-Hosted Runners

If you run your GitHub Actions in a self-hosted runner that already has access to AWS credentials, such as an EC2 instance, then you do not need to provide IAM user access key credentials to this action.

If no access key credentials are given in the action inputs, this action will use credentials from the runner environment using the default methods for the AWS SDK for Javascript.

You can use this action to simply configure the region and account ID in the environment, and then use the runner's credentials for all AWS API calls made by your Actions workflow:

uses: aws-actions/configure-aws-credentials@v1
with:
  aws-region: us-east-2

In this case, your runner's credentials must have permissions to call any AWS APIs called by your Actions workflow.

Or, you can use this action to assume a role, and then use the role credentials for all AWS API calls made by your Actions workflow:

uses: aws-actions/configure-aws-credentials@v1
with:
  aws-region: us-east-2
  role-to-assume: my-github-actions-role

In this case, your runner's credentials must have permissions to assume the role.

License Summary

This code is made available under the MIT license.

Security Disclosures

If you would like to report a potential security issue in this project, please do not create a GitHub issue. Instead, please follow the instructions here or email AWS security directly.