Merge pull request #6 from saml-to/5-set-awscredentials-and-awsconfig…

…-instead-of-environment-variables

add profile to inputs

.github/workflows/acceptance-tests.yml

@@ -144,3 +144,25 @@ jobs:
       #     GITHUB_TOKEN: ${{ secrets.SLYU_STANDALONE_01_USER_EMAIL_GH_TOKEN }}
       #     SAML_TO_NONLIVE: true
       #     SAML_TO_API_KEY: ${{ secrets.NONLIVE_API_KEY }}
+
+  assume-with-profile:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 16
+          cache: 'yarn'
+      - run: yarn
+      - run: yarn build
+      - uses: ./
+        name: Assume test-assume-aws-role-action using saml-to/saml-to/saml-to.yml
+        with:
+          role: arn:aws:iam::580360238192:role/test-assume-aws-role-action
+          profile: my-profile
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - run: aws sts get-caller-identity
+        name: Test using environment variable
+      - run: aws sts get-caller-identity --profile my-profile
+        name: Test using --profile flag

README.md

@@ -139,6 +139,12 @@ If there are multiple `provider` entries in the `saml-to.yml` configuration file
 
 Specify an alternative path to the `saml-to.yml` configuration file.
 
+### `profile` (_Optional_)
+
+Store the credentials to the provided named profile in `~/.aws` (instead of writing them to Environment Variables)
+
+**Default**: `` (_Empty String_)
+
 **Default**: `saml-to.yml`
 
 ## Outputs

action.yml

@@ -20,6 +20,9 @@ inputs:
   configPath:
     description: "Specify a path to the SAML.to config file (Default: 'saml-to.yml')"
     required: false
+  profile:
+    description: 'Store the credentials to the provided named profile in `~/.aws` (instead of writing them to Environment Variables)'
+    required: false
 outputs:
   region:
     description: The AWS region

package.json

@@ -39,7 +39,8 @@
   "dependencies": {
     "@actions/core": "^1.6.0",
     "@aws-sdk/client-sts": "^3.43.0",
-    "axios": "^0.24.0"
+    "axios": "^0.24.0",
+    "which": "^2.0.2"
   },
   "devDependencies": {
     "@babel/core": "^7.16.0",
@@ -48,6 +49,7 @@
     "@types/inquirer": "^8.1.3",
     "@types/js-yaml": "^4.0.5",
     "@types/node": "14",
+    "@types/which": "^2.0.1",
     "@types/yargs": "^17.0.7",
     "@typescript-eslint/eslint-plugin": "^4.29.3",
     "@typescript-eslint/parser": "^4.29.3",
@@ -67,4 +69,4 @@
     "webpack-cli": "^4.9.1",
     "webpack-node-externals": "^3.0.0"
   }
-}
+}

src/action.ts

@@ -7,6 +7,7 @@ import {
   GithubSlsRestApiSamlResponseContainer,
   GithubSlsRestApiAwsAssumeSdkOptions,
 } from '../api/github-sls-rest-api';
+import { exec } from './exec';
 
 const { GITHUB_TOKEN, GITHUB_REPOSITORY, GITHUB_SHA, SAML_TO_NONLIVE, SAML_TO_API_KEY } =
   process.env;
@@ -34,6 +35,7 @@ export class Action {
     const region = getInput('region', { required: false }) || 'us-east-1';
     const configOwner = getInput('configOwner', { required: false }) || org;
     const configPath = getInput('configPath', { required: false }) || 'saml-to.yml';
+    const profile = getInput('profile', { required: false }) || undefined;
 
     if (provider) {
       info(`Assuming ${provider} Role: ${role} in ${region}`);
@@ -72,7 +74,7 @@ SAML Attributes:`);
         Object.entries(response.attributes).forEach(([k, v]) => info(` - ${k}: ${v}`));
       }
 
-      await this.assumeAws(response, region);
+      await this.assumeAws(response, region, profile);
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
     } catch (e: any) {
       const providerHint = sdkOpts ? ` (${sdkOpts.PrincipalArn}) ` : ' ';
@@ -139,7 +141,11 @@ https://docs.saml.to/usage/github-actions/assume-aws-role-action#centrally-manag
     }
   }
 
-  async assumeAws(response: GithubSlsRestApiSamlResponseContainer, region: string): Promise<void> {
+  async assumeAws(
+    response: GithubSlsRestApiSamlResponseContainer,
+    region: string,
+    profile?: string,
+  ): Promise<void> {
     const sts = new STS({ region });
     const opts = response.sdkOptions as GithubSlsRestApiAwsAssumeSdkOptions;
     if (!opts) {
@@ -174,11 +180,6 @@ https://docs.saml.to/usage/github-actions/assume-aws-role-action#centrally-manag
     info(`
 Assumed ${opts.RoleArn}: ${callerIdentity.Arn} (Credential expiration at ${assumeResponse.Credentials.Expiration})`);
 
-    exportVariable('AWS_DEFAULT_REGION', region);
-    exportVariable('AWS_ACCESS_KEY_ID', assumeResponse.Credentials.AccessKeyId);
-    exportVariable('AWS_SECRET_ACCESS_KEY', assumeResponse.Credentials.SecretAccessKey);
-    exportVariable('AWS_SESSION_TOKEN', assumeResponse.Credentials.SessionToken);
-
     setOutput('region', region);
     setOutput('accountId', callerIdentity.Account);
     setOutput('userId', callerIdentity.UserId);
@@ -187,5 +188,30 @@ Assumed ${opts.RoleArn}: ${callerIdentity.Arn} (Credential expiration at ${assum
     setOutput('accessKeyId', assumeResponse.Credentials.AccessKeyId);
     setOutput('secretAccessKey', assumeResponse.Credentials.SecretAccessKey);
     setOutput('sessionToken', assumeResponse.Credentials.SessionToken);
+
+    if (profile) {
+      exportVariable('AWS_PROFILE', profile);
+
+      const base = ['aws', 'configure'];
+
+      if (profile !== 'default') {
+        base.push('--profile', profile);
+      }
+      base.push('set');
+      await exec([...base, 'region', region]);
+      await exec([...base, 'aws_access_key_id', assumeResponse.Credentials.AccessKeyId]);
+      await exec([...base, 'aws_secret_access_key', assumeResponse.Credentials.SecretAccessKey]);
+      await exec([...base, 'aws_session_token', assumeResponse.Credentials.SessionToken]);
+
+      info(`AWS Profile has been set!`);
+      return;
+    }
+
+    exportVariable('AWS_DEFAULT_REGION', region);
+    exportVariable('AWS_ACCESS_KEY_ID', assumeResponse.Credentials.AccessKeyId);
+    exportVariable('AWS_SECRET_ACCESS_KEY', assumeResponse.Credentials.SecretAccessKey);
+    exportVariable('AWS_SESSION_TOKEN', assumeResponse.Credentials.SessionToken);
+
+    info(`Environment Variables have been set!`);
   }
 }

src/exec.ts

@@ -0,0 +1,35 @@
+import proc from 'child_process';
+import which from 'which';
+
+export const exec = (argv: string[]): Promise<void> => {
+  return new Promise((resolve, reject) => {
+    const env = {
+      ...process.env,
+    };
+
+    let command: string;
+    try {
+      command = which.sync(argv[0]);
+    } catch (e) {
+      reject(new Error(`Unable to locate the '${argv[0]}' command on this system`));
+      return;
+    }
+
+    const p = proc.spawn(command, argv.slice(1), {
+      shell: true,
+      env,
+    });
+
+    p.on('error', (err) => {
+      reject(err);
+    });
+
+    p.on('exit', () => {
+      resolve();
+    });
+
+    p.stdin.pipe(process.stdin);
+    p.stdout.pipe(process.stdout);
+    p.stderr.pipe(process.stderr);
+  });
+};

yarn.lock

@@ -957,6 +957,11 @@
   dependencies:
     "@types/node" "*"
 
+"@types/which@^2.0.1":
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/@types/which/-/which-2.0.1.tgz#27ecd67f915b7c3d6ba552135bb1eecd66e63501"
+  integrity sha512-Jjakcv8Roqtio6w1gr0D7y6twbhx6gGgFGF5BLwajPpnOIOxFkakFhCq+LmyyeAz7BX6ULrjBOxdKaCDy+4+dQ==
+
 "@types/yargs-parser@*":
   version "20.2.1"
   resolved "https://registry.yarnpkg.com/@types/yargs-parser/-/yargs-parser-20.2.1.tgz#3b9ce2489919d9e4fea439b76916abc34b2df129"
@@ -3288,7 +3293,7 @@ which-boxed-primitive@^1.0.2:
     is-string "^1.0.5"
     is-symbol "^1.0.3"
 
-which@^2.0.1:
+which@^2.0.1, which@^2.0.2:
   version "2.0.2"
   resolved "https://registry.yarnpkg.com/which/-/which-2.0.2.tgz#7c6a8dd0a636a0327e10b59c9286eee93f3f51b1"
   integrity sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==