Provide ARN of authenticated principal as output

[tsibley]

Describe the feature

Similar to how the account id of the authenticated principal is set:

configure-aws-credentials/src/helpers.ts

Lines 57 to 70 in ffc9011

	// Obtains account ID from STS Client and sets it as output
	export async function exportAccountId(credentialsClient: CredentialsClient, maskAccountId?: boolean) {
	const client = credentialsClient.stsClient;
	const identity = await client.send(new GetCallerIdentityCommand({}));
	const accountId = identity.Account;
	if (!accountId) {
	throw new Error('Could not get Account ID from STS. Did you set credentials?');
	}
	if (maskAccountId) {
	core.setSecret(accountId);
	}
	core.setOutput('aws-account-id', accountId);
	return accountId;
	}

it would be nice to have the ARN as well (e.g. from the same STS.GetCallerIdentity call).

Beyond providing it as an output that the calling workflow can use how it pleases, I'd also like to see the ARN output to logs by default, but I understand there are privacy/security implications to consider there.

Use Case

It's very useful to be able to expose the ARN to logs or for debugging/troubleshooting. Even this GitHub Action's README includes

aws sts get-caller-identity

in examples. :-)

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

[tim-finnigan]

Thanks for the feature request. I recognize the value here, but yes there are security implications to consider like you said.

[injae-kim]

Fix PR: #1191