Use this action to perform authentication with an Amazon Cognito Identity Pool using the GitHub Actions OIDC access token.
This action is when using Basic (Classic) AuthFlow. A different action for Enhanced (Simplified) AuthFlow is available here.
This repository is available as a template repository.
At the time writing (October 2023) this action has not been tested or reviewed by anyone other than the author, hence the alpha status. If using this action, please provide feedback.
on:
workflow_dispatch:
jobs:
job1:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: "Authenticate using Basic AuthFlow"
uses: catnekaise/cognito-idpool-basic-auth@alpha
with:
cognito-identity-pool-id: "eu-west-1:11111111-example"
aws-account-id: "111111111111"
aws-region: "eu-west-1"
audience: "cognito-identity.amazonaws.com" # Same value as default
role-arn: "arn:aws:iam::111111111111:role/cognito-gha"
set-in-environment: true
- name: "STS Get Caller Identity"
run: |
aws sts get-caller-identity- Only
cognito-identity-pool-idis a required input to the action. aws-account-idandaws-regionare required, but values can optionally be derived from environment variables, if this behaviour is wanted.- Input to action via parameters will supersede environment variables for
aws-account-idandaws-region.- Env Var 1 supersedes Env Var 2.
| Input Parameter Name | Default value | Example | Env Var 1 | Env Var 2 |
|---|---|---|---|---|
| cognito-identity-pool-id | - | eu-west-1:11111111-example | - | - |
| aws-account-id | - | 1111111111111 | CK_COGNITO_AWS_ACCOUNT_ID | AWS_ACCOUNT_ID |
| aws-region | - | eu-west-1 | CK_COGNITO_AWS_REGION | AWS_DEFAULT_REGION |
| audience | cognito-identity.amazonaws.com | cognito-identity.amazonaws.com | - | - |
| role-arn | - | arn:aws:iam::111111111111:role/role | - | - |
| role-duration-seconds | 3600 | 1500 | - | - |
| role-session-name | GitHubActions | MySessionName | - | - |
| set-as-profile | - | cache | - | - |
| set-in-environment | - | true | - | - |
| Parameter |
|---|
| aws_access_key_id |
| aws_secret_access_key |
| aws_session_token |
| aws_region |
| cognito_identity_oidc_access_token |
on:
workflow_dispatch:
env:
CK_COGNITO_AWS_ACCOUNT_ID: "${{ vars.CK_COGNITO_AWS_ACCOUNT_ID }}"
AWS_DEFAULT_REGION: "us-east-1"
jobs:
job1:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: "Authenticate using Basic AuthFlow"
uses: catnekaise/cognito-idpool-basic-auth@alpha
with:
cognito-identity-pool-id: "eu-west-1:11111111-example"
role-arn: "arn:aws:iam::111111111111:role/cognito-gha"
set-in-environment: true
aws-region: "eu-west-1" # Overrides AWS_DEFAULT_REGION
- name: "STS Get Caller Identity"
run: |
aws sts get-caller-identityIn order for credentials to exist, role-arn has to be set and successful authentication must have completed. If not setting role-arn, cognito_identity_oidc_access_token is available.
- Credentials are always available as output parameters from the action, as long as
role-arnwas set. - Set input option
set-in-environmenttotrueand standard AWS environment variables will be set. - Provide a profile name in input option
set-as-profileto set credentials as a profile. - Setting
set-in-environmenttotrue, and setting a value inset-as-profilewill both set environment variables and the profile. - When neither
set-in-environmentnorset-as-profileis provided, credentials are only available as outputs.
on:
workflow_dispatch:
env:
CK_COGNITO_AWS_ACCOUNT_ID: "${{ vars.CK_COGNITO_AWS_ACCOUNT_ID }}"
AWS_DEFAULT_REGION: "eu-west-1"
jobs:
job1:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- id: aws-credentials
name: "Credentials as output only"
uses: catnekaise/cognito-idpool-basic-auth@alpha
with:
cognito-identity-pool-id: "eu-west-1:11111111-example"
role-arn: "arn:aws:iam::111111111111:role/cognito-gha"
- name: "Credentials in environment"
uses: catnekaise/cognito-idpool-basic-auth@alpha
with:
cognito-identity-pool-id: "eu-west-1:11111111-example"
role-arn: "arn:aws:iam::111111111111:role/cognito-gha"
set-in-environment: true
- name: "Credentials in profile: tf-state"
uses: catnekaise/cognito-idpool-basic-auth@alpha
with:
set-as-profile: "tf-state"
role-arn: "arn:aws:iam::111111111111:role/cognito-gha"
cognito-identity-pool-id: "${{ vars.TF_STATE_COGNITO_IDENTITY_POOL_ID }}"
- name: "Credentials in profile: cache"
uses: catnekaise/cognito-idpool-basic-auth@alpha
with:
set-as-profile: "cache"
role-arn: "arn:aws:iam::111111111111:role/cognito-gha"
cognito-identity-pool-id: "${{ vars.CACHE_COGNITO_IDENTITY_POOL_ID }}"
- name: STS Get Caller Identity
run: |
aws sts get-caller-identity
aws sts get-caller-identity --profile tf-state
aws sts get-caller-identity --profile cache
- name: "STS Get Caller Identity"
env:
AWS_ACCESS_KEY_ID: "${{ steps.aws-credentials.outputs.aws_access_key_id }}"
AWS_SECRET_ACCESS_KEY: "${{ steps.aws-credentials.outputs.aws_secret_access_key }}"
AWS_SESSION_TOKEN: "${{ steps.aws-credentials.outputs.aws_session_token }}"
run: |
aws sts get-caller-identityWhen role-arn is not set, output cognito_identity_oidc_access_token is available. It can then be used to assume role inside the workflow.
on:
workflow_dispatch:
jobs:
job1:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- id: oidc_token
name: "Get Cognito OIDC Access Token"
uses: catnekaise/cognito-idpool-basic-auth@alpha
with:
cognito-identity-pool-id: "${{ vars.COGNITO_IDENTITY_POOL_ID }}"
aws-region: "eu-west-1"
aws-account-id: "111111111111"
- name: "Assume Role"
env:
OIDC_TOKEN: "${{ steps.oidc_token.outputs.cognito_identity_oidc_access_token }}"
AWS_DEFAULT_REGION: "eu-west-1"
run: |
awsCredentials=$(aws sts assume-role-with-web-identity \
--role-session-name "MySessionName" \
--role-arn "arn:aws:iam::111111111111:role/cognito-gha" \
--duration-seconds 3600 \
--web-identity-token "$OIDC_TOKEN")
awsAccessKeyId=$(echo "$awsCredentials" | jq -r ".Credentials.AccessKeyId")
awsSecretAccessKey=$(echo "$awsCredentials" | jq -r ".Credentials.SecretAccessKey")
awsSessionToken=$(echo "$awsCredentials" | jq -r ".Credentials.SessionToken")
echo "::add-mask::$awsAccessKeyId"
echo "::add-mask::$awsSecretAccessKey"
echo "::add-mask::$awsSessionToken"Provide the bare minimum implementation for performing Basic (Classic) AuthFlow with Cognito Identity, and remain simple/static enough to be used as a template for creating an internal action for the same purpose.