diff --git a/README.md b/README.md new file mode 100644 index 0000000..567dee2 --- /dev/null +++ b/README.md @@ -0,0 +1,81 @@ +# Configure AWS Profiles + +![GitHub Marketplace](https://img.shields.io/badge/Marketplace-Configure%20AWS%20Profiles-orange) +![License](https://img.shields.io/github/license/your-username/configure-aws-profiles) + +## Overview + +**Configure AWS Profiles** is a GitHub Action that sets up multiple OIDC AWS Role Sessions as AWS config profiles. This action simplifies the process of configuring AWS profiles with assumed roles, leveraging OpenID Connect (OIDC) tokens for secure authentication. + +## Features + +- **Multiple Profile Configuration:** Define and configure multiple AWS profiles in a single action. +- **OIDC Integration:** Uses OIDC tokens to securely assume AWS roles without long-lived credentials. +- **Customizable Regions:** Specify default AWS region or set them individually per profile. +- **Automated Verification:** Verifies the configured profiles to ensure they are set up correctly. + +## Inputs + +### `profiles` (required) + +A YAML mapping of profiles to configure. Each profile should include the `role-arn` and can optionally specify a `region`. + +**Example:** + +```yaml +dev: + role-arn: arn:aws:iam::123456789012:role/DevRole + region: us-east-1 +prod: + role-arn: arn:aws:iam::123456789012:role/ProdRole +``` + +### `default-region` (optional) + +The default AWS region to use if not specified in a profile. + +- Default: us-west-2 + +## Usage + +### Prerequisites + +Ensure your GitHub repository has the id-token: write permission enabled. This is required for generating OIDC tokens. + +### Example Workflow + +```yaml +name: Configure AWS Profiles + +on: + push: + branches: + - main + +jobs: + setup-aws-profiles: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Configure AWS Profiles + uses: your-username/configure-aws-profiles@v1 + with: + profiles: | + dev: + role-arn: arn:aws:iam::123456789012:role/DevRole + region: us-east-1 + prod: + role-arn: arn:aws:iam::123456789012:role/ProdRole + default-region: us-west-2 + + - name: Use AWS CLI with Dev Profile + run: aws sts get-caller-identity --profile dev + + - name: Use AWS CLI with Prod Profile + run: aws sts get-caller-identity --profile prod +``` \ No newline at end of file diff --git a/action.yaml b/action.yaml new file mode 100644 index 0000000..0b4727a --- /dev/null +++ b/action.yaml @@ -0,0 +1,101 @@ +name: Configure AWS Profiles + +description: Configures multiple OIDC AWS Role Sessions as AWS config profiles. + +branding: + icon: 'cloud' + color: 'orange' + +inputs: + profiles: + required: true + description: 'YAML mapping of profiles to configure.' + default-region: + required: false + description: 'Default AWS region to be used if not specified in a profile.' + default: 'us-west-2' + +runs: + using: "composite" + steps: + - name: Install dependencies + shell: bash + run: | + sudo apt-get update + sudo apt-get install -y jq + sudo wget https://github.com/mikefarah/yq/releases/download/v4.25.3/yq_linux_amd64 -O /usr/local/bin/yq + sudo chmod +x /usr/local/bin/yq + + - name: Get OIDC Token + shell: bash + env: + ACTIONS_ID_TOKEN_REQUEST_URL: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }} + ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }} + run: | + # Ensure the 'id-token: write' permission is set in your workflow + if [ -z "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then + echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN is not set. Ensure 'id-token: write' permission is granted." + exit 1 + fi + # Add audience parameter to the request URL + TOKEN_REQUEST_URL="${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=sts.amazonaws.com" + # Request the OIDC token + OIDC_TOKEN=$(curl -sS "$TOKEN_REQUEST_URL" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" | jq -r '.value') + if [ -z "$OIDC_TOKEN" ]; then + echo "Error: Failed to retrieve OIDC token." + exit 1 + fi + echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV + + - name: Setup AWS Profiles + shell: bash + env: + OIDC_TOKEN: ${{ env.OIDC_TOKEN }} + run: | + echo "${{ inputs.profiles }}" > profiles.yaml + PROFILE_NAMES=$(yq e 'keys' profiles.yaml) + for PROFILE_NAME in $(echo "$PROFILE_NAMES" | yq e '.[]' -); do + REGION=$(yq e ".\"$PROFILE_NAME\".region // \"${{ inputs.default-region }}\"" profiles.yaml) + ROLE_ARN=$(yq e ".\"$PROFILE_NAME\".role-arn" profiles.yaml) + echo "Configuring profile $PROFILE_NAME with region $REGION and role $ROLE_ARN" + + # Assume role using AWS CLI with OIDC + CREDENTIALS=$(aws sts assume-role-with-web-identity \ + --role-arn "$ROLE_ARN" \ + --role-session-name "$PROFILE_NAME" \ + --web-identity-token "$OIDC_TOKEN" \ + --duration-seconds 3600 \ + --region "$REGION" \ + --output json) + + if [ $? -ne 0 ]; then + echo "Error: Failed to assume role $ROLE_ARN" + exit 1 + fi + + export AWS_ACCESS_KEY_ID=$(echo "$CREDENTIALS" | jq -r '.Credentials.AccessKeyId') + export AWS_SECRET_ACCESS_KEY=$(echo "$CREDENTIALS" | jq -r '.Credentials.SecretAccessKey') + export AWS_SESSION_TOKEN=$(echo "$CREDENTIALS" | jq -r '.Credentials.SessionToken') + + aws configure set region "$REGION" --profile "$PROFILE_NAME" + aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID" --profile "$PROFILE_NAME" + aws configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY" --profile "$PROFILE_NAME" + aws configure set aws_session_token "$AWS_SESSION_TOKEN" --profile "$PROFILE_NAME" + done + + - name: Reset AWS Environment Variables + shell: bash + run: | + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV + + - name: Verify AWS Profiles + shell: bash + run: | + echo "${{ inputs.profiles }}" > profiles.yaml + PROFILE_NAMES=$(yq e 'keys' profiles.yaml) + for PROFILE_NAME in $(echo "$PROFILE_NAMES" | yq e '.[]' -); do + echo "Verifying profile $PROFILE_NAME" + aws sts get-caller-identity --profile "$PROFILE_NAME" + done