assume AWS role

Author: cnuss

action.yml

@@ -4,10 +4,14 @@ branding:
   icon: 'arrow-up-circle'
   color: 'blue'
 inputs:
-  token:
-    description: A GitHub Token
+  region:
+    description: 'The AWS Region to deploy to'
     required: false
-    default: ${{ github.token }}
+    default: 'us-east-1'
+  role:
+    description: 'The AWS Role to use for deployment'
+    required: false
+    default: ${{ vars.DEPLOYMENT_ROLE }}
 runs:
   using: 'node20'
   main: 'dist/main.js'

package.json

@@ -33,6 +33,7 @@
     "@actions/core": "^1.10.1",
     "@actions/github": "^6.0.0",
     "@aws-sdk/client-cloudformation": "^3.533.0",
+    "@aws-sdk/client-sts": "^3.533.0",
     "axios": "^1.6.7",
     "jose": "^5.2.3"
   },
@@ -63,4 +64,4 @@
     "webpack-cli": "^4.9.1",
     "webpack-node-externals": "^3.0.0"
   }
-}
+}

src/action.ts

@@ -1,13 +1,19 @@
-import { debug, notice, getIDToken } from '@actions/core';
+import { debug, notice, getIDToken, exportVariable, info } from '@actions/core';
 import { getInput } from '@actions/core';
+import { context } from '@actions/github';
 import { warn } from 'console';
 import fs from 'fs';
 import path from 'path';
-import { CloudFormationClient, DescribeStacksCommand } from '@aws-sdk/client-cloudformation';
-// import axios from 'axios';
-import * as jose from 'jose';
+import { CloudFormationClient, DescribeStacksCommand, Stack } from '@aws-sdk/client-cloudformation';
+import {
+  STSClient,
+  AssumeRoleWithWebIdentityCommand,
+  GetCallerIdentityCommand,
+} from '@aws-sdk/client-sts';
+import packageJson from '../package.json';
+import { roleSetupInstructions } from './messages';
 
-const { GITHUB_TOKEN } = process.env;
+const { GITHUB_TOKEN, GITHUB_REPOSITORY } = process.env;
 
 type ServerlessState = {
   service: {
@@ -21,20 +27,18 @@ type ServerlessState = {
 
 export class Action {
   async run(): Promise<void> {
-    debug('Running!');
-
-    const token = getInput('token') || GITHUB_TOKEN;
-
-    if (!token) {
-      throw new Error('Missing GitHub Token');
-    }
+    const region = getInput('region') || 'us-east-1';
+    const role = getInput('role');
+    const [owner, repo] = GITHUB_REPOSITORY?.split('/') || [];
 
     let idToken: string | undefined = undefined;
 
     try {
       idToken = await getIDToken();
     } catch (e) {
-      warn('Unable to get ID Token.');
+      warn(
+        'Unable to get ID Token. Please ensure the `id-token: write` is enabled in the GitHub Action permissions.',
+      );
       debug(`Error: ${e}`);
     }
 
@@ -43,77 +47,113 @@ export class Action {
       return;
     }
 
-    // console.log(
-    //   '!!! idToken',
-    //   Buffer.from(Buffer.from(idToken, 'utf8').toString('base64'), 'utf8').toString('base64'),
-    // );
+    try {
+      let client = new STSClient({ region });
+      const assumeResponse = await client.send(
+        new AssumeRoleWithWebIdentityCommand({
+          WebIdentityToken: idToken,
+          RoleArn: role,
+          RoleSessionName: `${packageJson.name}@${packageJson.version}:${context.runId}`,
+        }),
+      );
+
+      exportVariable('AWS_DEFAULT_REGION', region);
+      exportVariable('AWS_ACCESS_KEY_ID', assumeResponse.Credentials?.AccessKeyId);
+      exportVariable('AWS_SECRET_ACCESS_KEY', assumeResponse.Credentials?.SecretAccessKey);
+      exportVariable('AWS_SESSION_TOKEN', assumeResponse.Credentials?.SessionToken);
 
-    const JWKS = jose.createRemoteJWKSet(
-      new URL('https://token.actions.githubusercontent.com/.well-known/jwks'),
-    );
+      client = new STSClient({
+        region,
+        credentials: {
+          accessKeyId: assumeResponse.Credentials!.AccessKeyId!,
+          secretAccessKey: assumeResponse.Credentials!.SecretAccessKey!,
+          sessionToken: assumeResponse.Credentials!.SessionToken!,
+        },
+      });
 
-    const { payload, protectedHeader } = await jose.jwtVerify(idToken, JWKS, {
-      issuer: 'https://token.actions.githubusercontent.com',
-      // audience: 'urn:example:audience',
-    });
+      const callerIdentity = await client.send(new GetCallerIdentityCommand({}));
 
-    console.log('!!! payload', payload);
-    console.log('!!! protectedHeader', protectedHeader);
+      info(
+        `Assumed ${role}: ${callerIdentity.Arn} (Credential expiration at ${assumeResponse.Credentials?.Expiration})`,
+      );
+    } catch (e) {
+      if (!(e instanceof Error)) {
+        throw e;
+      }
+      debug(`Error: ${e}`);
+      throw new Error(`Unable to assume role: ${e.message}\n${roleSetupInstructions(owner, repo)}`);
+    }
   }
 
   async post(): Promise<void> {
-    debug('Post Running!');
-
     const token = getInput('token') || GITHUB_TOKEN;
 
     if (!token) {
       throw new Error('Missing GitHub Token');
     }
 
-    let serverlessState: ServerlessState | undefined = undefined;
+    const httpApiUrl = await this.httpApiUrl;
 
-    try {
-      serverlessState = JSON.parse(
-        fs.readFileSync(path.join('.serverless', 'serverless-state.json'), 'utf8'),
-      );
-    } catch (e) {
-      warn('No serverless state found.');
-      debug(`Error: ${e}`);
-      return;
-    }
+    notice(`HTTP API URL: ${httpApiUrl}`);
+  }
+
+  get serverlessState(): Promise<ServerlessState | undefined> {
+    return new Promise(async (resolve) => {
+      try {
+        const serverlessState = JSON.parse(
+          fs.readFileSync(path.join('.serverless', 'serverless-state.json'), 'utf8'),
+        );
+
+        return resolve(serverlessState);
+      } catch (e) {
+        warn('No serverless state found.');
+        debug(`Error: ${e}`);
+        return;
+      }
+    });
+  }
 
-    let httpApiUrl: string | undefined = undefined;
+  get stack(): Promise<Stack | undefined> {
+    return new Promise(async (resolve) => {
+      const serverlessState = await this.serverlessState;
 
-    try {
-      const stackName = `${serverlessState!.service.service}-${
-        serverlessState!.service.provider.stage
-      }`;
+      if (!serverlessState) {
+        return resolve(undefined);
+      }
 
-      const client = new CloudFormationClient({ region: serverlessState!.service.provider.region });
+      const stackName = `${serverlessState.service.service}-${serverlessState.service.provider.stage}`;
+
+      const client = new CloudFormationClient({ region: serverlessState.service.provider.region });
 
       const describeStacks = await client.send(new DescribeStacksCommand({ StackName: stackName }));
 
       const stack = describeStacks.Stacks?.find(
         (s) =>
           s.StackName === stackName &&
           s.Tags?.find(
-            (t) => t.Key === 'STAGE' && t.Value === serverlessState!.service.provider.stage,
+            (t) => t.Key === 'STAGE' && t.Value === serverlessState.service.provider.stage,
           ),
       );
 
       if (!stack) {
         warn('Unable to find stack.');
         debug(JSON.stringify(describeStacks));
-        return;
+        return resolve(undefined);
       }
 
-      httpApiUrl = stack.Outputs?.find((o) => o.OutputKey === 'HttpApiUrl')?.OutputValue;
-    } catch (e) {
-      warn('Unable to determine HTTP API URL.');
-      debug(`Error: ${e}`);
-      return;
-    }
+      return resolve(stack);
+    });
+  }
 
-    notice(`HTTP API URL: ${httpApiUrl}`);
+  get httpApiUrl(): Promise<string | undefined> {
+    return new Promise(async (resolve) => {
+      const stack = await this.stack;
+
+      if (!stack) {
+        return resolve(undefined);
+      }
+
+      return resolve(stack.Outputs?.find((o) => o.OutputKey === 'HttpApiUrl')?.OutputValue);
+    });
   }
 }

src/messages.ts

@@ -0,0 +1,44 @@
+export const roleSetupInstructions = (owner: string, repo: string): string => {
+  return `
+1. If you haven't already, create an Identity Provider in AWS IAM for GitHub Actions:
+    - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html
+    - For the provider URL: Use https://token.actions.githubusercontent.com
+    - For the "Audience": Use sts.amazonaws.com
+
+2. Create or update a role in AWS IAM with the following trust relationship:
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "Federated": "arn:aws:iam::YOUR_ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com"
+          },
+          "Action": "sts:AssumeRoleWithWebIdentity",
+          "Condition": {
+            "StringEquals": {
+              "token.actions.githubusercontent.com:sub": "repo:${owner}/${repo}:*"
+            }
+          }
+        }
+      ]
+    }
+
+3. Ensure the IAM role has the following policies attached:
+    - AWSLambdaFullAccess
+    - AWSLambdaRole
+    - AWSLambdaVPCAccessExecutionRole
+    - AWSLambdaENIManagementAccess
+    - AWSLambdaBasicExecutionRole
+    - AWSLambdaKinesisExecutionRole
+    - AWSLambdaSQSQueueExecutionRole
+    - AWSLambdaDynamoDB
+
+4. Add the AWS IAM Role ARN to your GitHub Repository Variables:
+    - https://github.com/${owner}/${repo}/settings/variables/actions
+    - Name: DEPLOYMENT_ROLE
+    - Value: arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_ROLE_NAME
+
+5. Re-run this action. Enable debug logging if you need more information.
+`;
+};

yarn.lock

@@ -233,7 +233,7 @@
     "@smithy/util-utf8" "^2.2.0"
     tslib "^2.5.0"
 
-"@aws-sdk/client-sts@3.533.0":
+"@aws-sdk/client-sts@3.533.0", "@aws-sdk/client-sts@^3.533.0":
   version "3.533.0"
   resolved "https://registry.yarnpkg.com/@aws-sdk/client-sts/-/client-sts-3.533.0.tgz#a792fc321509dee0b104a3470653663315068bce"
   integrity sha512-Z/z76T/pEq0DsBpoyWSMQdS7R6IRpq2ZV6dfZwr+HZ2vho2Icd70nIxwiNzZxaV16aVIhu5/l/5v5Ns9ZCfyOA==