Drop-in replacement for aws-actions/configure-aws-credentials with additional features to configure multiple AWS roles as AWS profiles.
The primary reason this action exists is to address using multiple AWS Roles at the same time in GitHub Actions. The official action is not sufficient for multiple account usage as it only sets one set of AWS environment variables at a time. Trying to reuse the action simply overwrites the environment variables with the new credentials.
This action uses the official aws-actions/configure-aws-credentials@v4 under the hood. Almost all inputs of the original action are supported. The main difference is that the profile input is required. This action will create the ~/.aws/config and ~/.aws/credentials files with the specified profile name (can be overridden with AWS_CONFIG_FILE & AWS_SHARED_CREDENTIALS_FILE, details below).
The below inputs are in additional to the official action inputs are:
| Input Name | Description | Required | default values |
|---|---|---|---|
| profile | Name of the profile to be created | false |
"default" |
| only-profile | This will unset the AWS env vars to empty string. Necessary for using profiles | false |
false |
| whoami | Run additional aws sts get-caller-identity to check if the profile is working |
true |
false |
| Input Name | Description |
|---|---|
| output-credentials | This is set to true so that the next steps in this action can create the profile. The actual env vars are then overridden with a dummy value |
| Output Name | Description |
|---|---|
| aws-account-id | The AWS account ID for the provided credentials |
| aws-access-key-id | The AWS access key ID for the provided credentials |
| aws-secret-access-key | The AWS secret access key for the provided credentials |
| aws-session-token | The AWS session token for the provided credentials |
| profile | Name of the profile that was created |
env:
PROFILE_ROLE_1: PROFILE_ROLE_1
PROFILE_ROLE_2: PROFILE_ROLE_2
jobs:
assume-multiple-roles:
runs-on: ubuntu-latest
permissions:
contents: read # This is required for actions/checkout
id-token: write # This is required for requesting the token from AWS STS
steps:
- name: Checkout Repo
id: checkout
uses: actions/checkout@v4
- name: Configure AWS credentials ROLE 1
id: configure-aws-credentials-role-1
uses: Moulick/configure-multiple-aws-roles@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/role-1
role-session-name: GithubActions-${{ env.REPO_NAME }}-${{ github.workflow }}-${{ github.run_id }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
profile: ${{ env.PROFILE_ROLE_1 }}
only-profile: true
whoami: true
- name: Configure AWS credentials ROLE 2
id: configure-aws-credentials-role-2
uses: Moulick/configure-multiple-aws-roles@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/role-2
role-session-name: GithubActions-${{ env.REPO_NAME }}-${{ github.workflow }}-${{ github.run_id }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
profile: ${{ env.PROFILE_ROLE_2 }}
only-profile: true
whoami: true
- name: Check AWS credentials
id: check-aws-credentials
run: |
aws sts get-caller-identity --profile ${{ env.PROFILE_ROLE_1 }}
aws sts get-caller-identity --profile ${{ env.PROFILE_ROLE_2 }}
If you need to use a custom location for the profile files, you can use the AWS_CONFIG_FILE and AWS_SHARED_CREDENTIALS_FILE environment variables.
This sometimes becomes necessary for actions running in docker containers, where the default location is different that what the AWS SDK expects.
Important
The -v ${{ github.workspace }}:/github/workspace/ is necessary to mount the workspace into the docker container. The AWS_CONFIG_FILE and AWS_SHARED_CREDENTIALS_FILE are set to the same path as the mounted workspace.
env:
PROFILE_TEST: test
AWS_CONFIG_FILE: ${{ github.workspace }}/.aws/config # Custom path that is passed on to docker container /home/runner/work/<OWNER>/<REPO_NAME>/.aws/config
AWS_SHARED_CREDENTIALS_FILE: ${{ github.workspace }}/.aws/credentials # Similar to above
jobs:
test_new_action:
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
id: checkout
uses: actions/checkout@v4
- name: Configure AWS credentials role test
id: configure-aws-credentials-role-test
uses: Moulick/configure-multiple-aws-roles@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/role-test
role-session-name: GithubActions-${{ env.REPO_NAME }}-${{ github.workflow }}-${{ github.run_id }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
profile: ${{ env.PROFILE_TEST }}
only-profile: true
whoami: true
- run: aws s3 ls --profile ${{ env.PROFILE_TEST }}
# Example of using the profile with terragrunt
- name: Terragrunt plan
id: terragrunt-plan
uses: gruntwork-io/terragrunt-action@v2
env:
AWS_CONFIG_FILE: /github/workspace/.aws/config # And this is the place the AWS config file ends up mounted
AWS_SHARED_CREDENTIALS_FILE: /github/workspace/.aws/credentials
AWS_PROFILE: ${{ env.PROFILE_TEST }}
INPUT_PRE_EXEC_1: |
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
# Example with generic Docker image
# Notice the workspace mount and both the env vars, that is the place the AWS config file ends up mounted
- name: use in docker
id: use-in-docker
uses: addnab/docker-run-action@v3
with:
image: amazon/aws-cli
options: -v ${{ github.workspace }}:/github/workspace/ -e AWS_CONFIG_FILE=/github/workspace/.aws/config -e AWS_SHARED_CREDENTIALS_FILE=/github/workspace/.aws/credentials
run: |
if ! [ -f ${AWS_CONFIG_FILE} ]; then echo "${AWS_CONFIG_FILE} does not exist." fi
if ! [ -f ${AWS_SHARED_CREDENTIALS_FILE} ]; then echo " ${AWS_SHARED_CREDENTIALS_FILE} does not exist." fi
aws sts get-caller-identity --profile ${{ env.PROFILE_TEST }}There are two problems
- GitHub actions do not support unsetting and env var once it has been set, you cannot even set it to
"". Akaecho "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENVdoes not work. Read more here actions/runner#1126 - AWS SDKs prefers using the
AWS_*env variables over profile.
This necessitates that the three env vars need to be unset in every step that you run. Below can be used for linux/macos runners.
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN