Open
Description
Describe the bug
- Use Github OIDC provider to assume role basic role ROLE_1
- Use role-chaining to assume a specific role ROLE_2 with extended permission for a specific workflow
Code example:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ vars.ACCOUNT_ID }}:role/ROLE_1
aws-region: eu-central-1
role-session-name: SESSION_NAME
- name: Assume execution role
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-central-1
role-to-assume: "arn:aws:iam::${{ vars.ACCOUNT_ID }}:role/ROLE_2"
role-session-name: SESSION_NAME
role-chaining: true
output-credentials: false
This pattern is working as expected, however in the github output aws credential, despite having explicitly set output-credentials to false
Example of output:
Step: Configure AWS credentials
Run aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::XXX/ROLE_1
aws-region: eu-central-1
role-session-name: SESSION_NAME
audience: sts.amazonaws.com
env:
AWS_REGION: eu-central-1
GITHUB_REPO_NAME: xxxxx
TERRAFORM_CLI_PATH: /home/runner/_work/_temp/xxxxx
Assuming role with OIDC
Authenticated as assumedRoleId ARARESOGVZRDSR:SESSION_NAME
Step: Assume execution role
Run aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-central-1
role-to-assume: arn:aws:iam::XXX/ROLE_2
role-session-name: SESSION_NAME
role-chaining: true
output-credentials: false
audience: sts.amazonaws.com
env:
AWS_REGION: eu-central-1
GITHUB_REPO_NAME: xxxxx
TERRAFORM_CLI_PATH: /home/runner/_work/_temp/xxxxx
AWS_DEFAULT_REGION: eu-central-1
AWS_ACCESS_KEY_ID: ***
AWS_SECRET_ACCESS_KEY: ***
AWS_SESSION_TOKEN: ***
Assuming role with user credentials
Authenticated as assumedRoleId ARARESOGVZRDSR:SESSION_NAME
Regression Issue
- Select this option if this issue appears to be a regression.
Expected Behavior
The second step should not print those variables:
AWS_ACCESS_KEY_ID: ***
AWS_SECRET_ACCESS_KEY: ***
AWS_SESSION_TOKEN: ***
Current Behavior
Github runner prints those credentials, and do so in every other steps inside the job:
AWS_ACCESS_KEY_ID: ***
AWS_SECRET_ACCESS_KEY: ***
AWS_SESSION_TOKEN: ***
Reproduction Steps
- Have OIDC provider setup
- Have ROLE_1 that can be assume via OIDC
- Have ROLE_1 with those permissions:
Statement = [
{
Effect = "Allow"
Action = "sts:AssumeRole"
Resource = [
"arn:aws:iam::${var.account_id}:role/ROLE_2",
]
},
{
Effect = "Allow",
Action = "sts:TagSession",
Resource = "*"
}
]
- Have ROLE_2 with those permissions:
Statement = [
{
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${var.account_id}:role/ROLE_1"
}
Action = [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
- Use those steps in your job
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ vars.ACCOUNT_ID }}:role/ROLE_1
aws-region: eu-central-1
role-session-name: SESSION_NAME
- name: Assume execution role
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-central-1
role-to-assume: "arn:aws:iam::${{ vars.ACCOUNT_ID }}:role/ROLE_2"
role-session-name: SESSION_NAME
role-chaining: true
output-credentials: false
Possible Solution
No response
Additional Information/Context
The goal of this pattern is to have minimal access on the role assumable via OIDC, and required role-chaining that need to be explicit in the CI workflow to extend permission via dedicated role for the use case