Skip to content

Commit

Permalink
Add aws/auth action (#63)
Browse files Browse the repository at this point in the history
* Add aws/auth action

* Fix description

* Fix example

* Add default region

* Apply changes from code review

* Adjust confusing copy-paste name
  • Loading branch information
reakaleek authored Jun 20, 2024
1 parent d256b3c commit e91af7d
Show file tree
Hide file tree
Showing 4 changed files with 124 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/workflows/no-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ on:
paths:
- '**'
- '!.github/workflows/test-*'
- '!aws/auth/**'
- '!buildkite/run/**'
- '!check-dependent-jobs/**'
- '!git/setup/**'
Expand Down
34 changes: 34 additions & 0 deletions .github/workflows/test-aws-auth.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: test-aws-auth

on:
pull_request:
paths:
- 'aws-auth/**'
- '.github/workflows/test-aws-auth.yml'
push:
branches:
- main
paths:
- 'aws-auth/**'
- '.github/workflows/test-aws-auth.yml'

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ./aws/auth
id: aws-auth
continue-on-error: true
with:
aws-region: 'us-west-2'
- name: assert generated role arn
run: |
workflow_filename=$(echo "${GITHUB_WORKFLOW_REF}" | awk -F'/' '{ print $5 }' | awk -F'@' '{ print $1 }')
hash=$(echo -n "${GITHUB_REPOSITORY}/${workflow_filename}" | sha256sum | awk '{print $1}' | cut -c -55)
arn="arn:aws:iam::697149045717:role/gha-${hash}-role"
test "${arn}" = "${{ steps.aws-auth.outputs.role-arn }}"
35 changes: 35 additions & 0 deletions aws/auth/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# <!--name-->aws/auth<!--/name-->
[![test-aws-auth](https://github.com/elastic/oblt-actions/actions/workflows/test-aws-auth.yml/badge.svg?branch=main)](https://github.com/elastic/oblt-actions/actions/workflows/test-aws-auth.yml)

<!--description-->
This is an opinionated GitHub Action to authenticate with AWS.

It generates a role ARN based on the repository name and the workflow filename, which is compatible with the
AWS role ARN we use for Elastic Observability repositories.
<!--/description-->

## Inputs
<!--inputs-->
| Name | Description | Required | Default |
|------------------|--------------------------------|----------|----------------|
| `aws-account-id` | The AWS account ID | `false` | `697149045717` |
| `aws-region` | The AWS region, e.g. us-east-1 | `false` | `us-east-1` |
<!--/inputs-->

## Outputs
<!--outputs-->
| Name | Description |
|------------|------------------------|
| `role-arn` | The generated role ARN |
<!--/outputs-->

## Usage
<!--usage action="elastic/oblt-actions/**" version="env:VERSION"-->
```yaml
steps:
- uses: elastic/oblt-actions/aws/auth@v1
with:
aws-region: 'us-east-1'
- run: aws s3 ls
```
<!--/usage-->
54 changes: 54 additions & 0 deletions aws/auth/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: aws/auth
description: |
This is an opinionated GitHub Action to authenticate with AWS.
It generates a role ARN based on the repository name and the workflow filename, which is compatible with the
AWS role ARN we use for Elastic Observability repositories.
inputs:
aws-account-id:
description: 'The AWS account ID'
default: "697149045717" # observability-ci account
required: false
aws-region:
description: 'The AWS region, e.g. us-east-1'
required: false
default: 'us-east-1'

outputs:
role-arn:
description: 'The generated role ARN'
value: ${{ steps.generate-role-arn.outputs.role-arn }}

runs:
using: composite
steps:
- name: Generate role ARN
id: generate-role-arn
shell: python
env:
REPOSITORY: ${{ github.repository }}
WORKFLOW_REF: ${{ github.workflow_ref }} # e.g. octocat/hello-world/.github/workflows/my-workflow.yml@refs/heads/my_branch
AWS_ACCOUNT_ID: ${{ inputs.aws-account-id }}
run: |
import hashlib
import os
repository = os.environ['REPOSITORY']
workflow_ref = os.environ['WORKFLOW_REF']
aws_account_id = os.environ['AWS_ACCOUNT_ID']
worflow_filename = workflow_ref.split('/')[4].split('@')[0]
m = hashlib.sha256()
m.update(f"{repository}/{worflow_filename}".encode('utf-8'))
hash = m.hexdigest()[:55]
role_name = f"gha-{hash}-role"
role_arn = f"arn:aws:iam::{aws_account_id}:role/{role_name}"
with open(os.environ['GITHUB_OUTPUT'], 'a') as f:
f.write(f"role-arn={role_arn}")
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: ${{ inputs.aws-region }}
role-to-assume: ${{ steps.generate-role-arn.outputs.role-arn }}

0 comments on commit e91af7d

Please sign in to comment.