Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: infer role ARN if given role name #35

Merged
merged 1 commit into from
Mar 4, 2020
Merged

feat: infer role ARN if given role name #35

merged 1 commit into from
Mar 4, 2020

Conversation

clareliguori
Copy link
Member

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

allisaurus
allisaurus reviewed Mar 4, 2020
View reviewed changes
index.js
@@ -42,8 +42,16 @@ async function assumeRole(params) {
accessKeyId, secretAccessKey, sessionToken, region, endpoint, customUserAgent: USER_AGENT
});

let roleArn = roleToAssume;
if (!roleArn.startsWith('arn:aws')) {
const identity = await sts.getCallerIdentity().promise();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

now there we're potentially calling more than sts:assume-role, would it make sense to include a statement in the Assuming a role section of the README about what permissions this action requires?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So interesting fact: STS GetCallerIdentity is super fun in that it doesn't require any permissions! And you can't deny the permission to call it!
https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html

Regardless, this API actually gets called already lower down after the credentials are retrieved to export the account ID, so that other actions can use it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😮 TIL!

@clareliguori clareliguori merged commit 96c6f7e into aws-actions:master Mar 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@allisaurus allisaurus allisaurus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@clareliguori @allisaurus