Merge pull request #37 from ably/aws-github-oidc

Support AWS credentials provided by aws-actions/configure-aws-credentials
ably · May 13, 2022 · 9dce5ce · 9dce5ce
2 parents 67fba84 + 153b03a
commit 9dce5ce
Show file tree

Hide file tree

Showing 5 changed files with 81 additions and 14 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,34 @@
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  # Test that this action works with AWS credentials provided by the
+  # aws-actions/configure-aws-credentials action using GitHub OIDC.
+  #
+  # See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
+  test-oidc:
+    runs-on: ubuntu-latest
+    permissions:
+      deployments: write
+      id-token: write
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: eu-west-2
+          role-to-assume: arn:aws:iam::884096606738:role/ably-sdk-builds-sdk-upload-action
+          role-session-name: "${{ github.run_id }}-${{ github.run_number }}"
+      - uses: actions/checkout@v2
+      - name: Create test files for upload
+        run: |
+          mkdir -p test
+          echo "success!" > test/build-output.txt
+      - name: Test action invocation works
+        uses: ./
+        with:
+          sourcePath: test
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          artifactName: test
diff --git a/README.md b/README.md
@@ -7,22 +7,51 @@ This action automates the deployment of generated artifacts to our Ably SDK team
 See [action.yml](action.yml) for explanations of each input.
 
 ```yaml
+permissions:
+  deployments: write
+  id-token: write
 steps:
+  - uses: aws-actions/configure-aws-credentials@v1
+    with:
+      aws-region: eu-west-2
+      role-to-assume: arn:aws:iam::884096606738:role/ably-sdk-builds-<REPO-NAME>
+      role-session-name: "${{ github.run_id }}-${{ github.run_number }}"
   - uses: ably/sdk-upload-action@v1
     with:
-      s3AccessKeyId: ${{ secrets.SDK_S3_ACCESS_KEY_ID }}
-      s3AccessKey: ${{ secrets.SDK_S3_ACCESS_KEY }}
       sourcePath: doc/api
       githubToken: ${{ secrets.GITHUB_TOKEN }}
       artifactName: dartdoc
 ```
 
-In the above example, `githubToken` uses the `GITHUB_TOKEN` secret which is automatically supplied to GitHub runners so you don't need to do anything to access it. `s3AccessKeyId` and `s3AccessKey` are accessed as [encrypted secrets](https://docs.github.com/en/actions/reference/encrypted-secrets) as these should not be exposed to the public domain.
+In the above example, `<REPO-NAME>` should be the Ably repository name (e.g. `ably-js`), and `githubToken` uses the `GITHUB_TOKEN` secret which is automatically supplied to GitHub runners so you don't need to do anything to access it.
 
 Artifacts generated from pull requests will be uploaded to `https://sdk.ably.io/builds/ably/${repository_name}/pull/${pull_number}/${artifactName}` and artifacts generated from pushes to the main branch will be uploaded to `https://sdk.ably.io/builds/ably/${repository_name}/main/${artifactName}`.
 
 ## Permissions
 
+### AWS
+
+This action expects the calling repository to be configured to use [GitHub OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) to obtain access to AWS resources within the Ably organization. This requires that the repository has an IAM role configured by Ably's internal Terraform deployment which can be used by [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) to retrieve temporary AWS access, for example:
+
+```yaml
+- uses: aws-actions/configure-aws-credentials@v1
+  with:
+    aws-region: eu-west-2
+    role-to-assume: arn:aws:iam::884096606738:role/ably-sdk-builds-ably-js
+    role-session-name: "${{ github.run_id }}-${{ github.run_number }}"
+```
+
+The `configure-aws-credentials` action also needs `write` permissions for `id-token` in order to use a GitHub issued ID token to authenticate with AWS:
+
+```yaml
+permissions:
+  id-token: write
+```
+
+If you are unsure whether the appropriate IAM role has been configured, please speak to the Ably SDK team.
+
+### `githubToken`
+
 The `githubToken` requires `write` access to the `deployments` permissions scope.
 This means that workflows using this action in a repository that is owned by an org with the default access level for actions set to 'restricted' will need to explicitly specify this requirement in the workflow using [permissions](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions), something like this:
 

diff --git a/dist/index.js b/dist/index.js
@@ -104,12 +104,14 @@ core.debug(`environment: ${environment}`);
 const s3ClientConfig = {
     // RegionInputConfig
     region: 'eu-west-2',
-    // AwsAuthInputConfig
-    credentials: {
+};
+if (core.getInput('s3AccessKeyId') && core.getInput('s3AccessKey')) {
+    core.warning('Setting s3AccessKeyId and s3AccessKey is deprecated, please switch to using the aws-actions/configure-aws-credentials action with GitHub OIDC.');
+    s3ClientConfig.credentials = {
         accessKeyId: core.getInput('s3AccessKeyId'),
         secretAccessKey: core.getInput('s3AccessKey')
-    },
-};
+    };
+}
 const s3Client = new client_s3_1.S3Client(s3ClientConfig);
 const upload = (params) => __awaiter(void 0, void 0, void 0, function* () {
     const command = new client_s3_1.PutObjectCommand(params);

diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/src/index.ts b/src/index.ts
@@ -1,6 +1,6 @@
 import * as core from '@actions/core';
 import { context, getOctokit } from '@actions/github';
-import { S3Client, PutObjectCommand, PutObjectCommandInput } from "@aws-sdk/client-s3";
+import { S3Client, S3ClientConfig, PutObjectCommand, PutObjectCommandInput } from "@aws-sdk/client-s3";
 import path from "path";
 import fs from "fs";
 import { lookup } from 'mime-types';
@@ -52,16 +52,18 @@ environment += ('/' + artifactName);
 core.debug(`keyPrefix: ${keyPrefix}`);
 core.debug(`environment: ${environment}`);
 
-const s3ClientConfig = {
+const s3ClientConfig: S3ClientConfig = {
     // RegionInputConfig
     region: 'eu-west-2',
+};
 
-    // AwsAuthInputConfig
-    credentials: {
+if(core.getInput('s3AccessKeyId') && core.getInput('s3AccessKey')) {
+    core.warning('Setting s3AccessKeyId and s3AccessKey is deprecated, please switch to using the aws-actions/configure-aws-credentials action with GitHub OIDC.');
+    s3ClientConfig.credentials = {
         accessKeyId: core.getInput('s3AccessKeyId'),
         secretAccessKey: core.getInput('s3AccessKey')
-    },
-};
+    };
+}
 
 const s3Client = new S3Client(s3ClientConfig);