Skip to content

Instantly share code, notes, and snippets.

@guitarrapc

guitarrapc/aws_oidc-auth_workflow.yaml

Last active January 5, 2023 08:03
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save guitarrapc/bb279d0a0be2b229501a673980f96280 to your computer and use it in GitHub Desktop.
Save guitarrapc/bb279d0a0be2b229501a673980f96280 to your computer and use it in GitHub Desktop.
Download ZIP
GitHub Actions to cache aws auth in each workflow run, then reuse in jobs. Workaround for https://github.com/aws-actions/configure-aws-credentials/issues/299.
Raw
aws_oidc-auth_workflow.yaml
name: aws oidc credential with cache
on:
workflow_dispatch:
push:
branches: ["main"]
pull_request:
branches: ["main"]
# github.job = job name
# github.run_id = unique id for workflow. re-run will use same id.
# github.run_attempt = incremented id for workflow. re-run will increment value.
env:
cache-key: GitHubActions-auth-${{ github.run_id }}-${{ github.run_attempt }}
jobs:
# auth aws only once a workflow
auth-aws:
permissions:
contents: write
id-token: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS Credentials
uses: ./.github/actions/aws_oidc_auth
with:
aws-region: ap-northeast-1
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GitHubActions-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
cache-key: ${{ env.cache-key }}
# even parallel use, aws auth will use cache.
# make sure OS is same as cached runner.
use-auth:
needs: [auth-aws]
strategy:
matrix:
name: ["a", "b", "c", "d", "e", "f", "g"]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS Credentials
uses: ./.github/actions/restore_aws_oidc_auth
with:
cache-key: ${{ env.cache-key }}
- name: get-caller-identity is allowed to run on role.
run: aws sts get-caller-identity
Raw
local_action1.yaml
# .github/actions/aws_oidc_auth/action.yaml
name: aws oidc auth with cache
description: |
Get aws oidc auth and cache it.
This avoid AWS OIDC AssumeRoleWithWebIdentity parallel request issue.
Error: Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements
see: https://github.com/aws-actions/configure-aws-credentials/issues/299
inputs:
aws-region:
description: "AWS Region"
required: true
role-to-assume:
description: "AWS IAM Role to assume"
required: true
role-session-name:
description: "AWS IAM Role Session Name. Shown on CloudTrail"
required: true
cache-key:
description: "cache key. you must set this key to restore cache."
required: true
runs:
using: "composite" # this is key point
steps:
- name: Configure AWS Credentials
# must use "master", not "v1". v1 is not yet released to use latest role-to-assume.
# Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers
uses: aws-actions/configure-aws-credentials@master
with:
aws-region: ${{ inputs.aws-region }}
role-to-assume: ${{ inputs.role-to-assume }}
role-session-name: ${{ inputs.role-session-name }}
role-duration-seconds: 900 # minimum: 900sec, maximum: iam role session duration
- name: gen auth file
shell: bash
run: |
echo "::group::test auth is valid"
aws sts get-caller-identity
echo "::endgroup::"
mkdir -p ~/.aws/${{ inputs.cache-key }}/
echo "${{ env.AWS_ACCESS_KEY_ID }}" > ~/.aws/${{ inputs.cache-key }}/aws_access_key_id
echo "${{ env.AWS_SECRET_ACCESS_KEY }}" > ~/.aws/${{ inputs.cache-key }}/aws_secret_access_key
echo "${{ env.AWS_SESSION_TOKEN }}" > ~/.aws/${{ inputs.cache-key }}/aws_session_token
echo "${{ env.AWS_REGION }}" > ~/.aws/${{ inputs.cache-key }}/region
echo "${{ env.AWS_DEFAULT_REGION }}" > ~/.aws/${{ inputs.cache-key }}/default_region
- name: Cache aws auth
uses: actions/cache@v2
with:
path: |
~/.aws/${{ inputs.cache-key }}
key: ${{ inputs.cache-key }}
Raw
local_action2.yaml
# .github/actions/restore_aws_oidc_auth/action.yaml
name: restore aws oidc auth from cache
description: |
restore aws oidc auth from cache
inputs:
cache-key:
description: "cache key to restore"
required: true
runs:
using: "composite"
steps:
- name: Restore aws auth
uses: actions/cache@v2
id: cache-aws
with:
path: |
~/.aws/${{ inputs.cache-key }}
key: ${{ inputs.cache-key }}
- name: Is Cache Hit
shell: bash
run: echo "cache hit? ${{ steps.cache-aws.outputs.cache-hit }}"
- name: Restore ENV
run: |
set -e
AWS_ACCESS_KEY_ID=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/aws_access_key_id)
echo "::add-mask::${AWS_ACCESS_KEY_ID}"
echo "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}" >> "$GITHUB_ENV"
AWS_ACCESS_KEY_ID=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/aws_secret_access_key)
echo "::add-mask::${AWS_ACCESS_KEY_ID}"
echo "AWS_SECRET_ACCESS_KEY=${AWS_ACCESS_KEY_ID}" >> "$GITHUB_ENV"
AWS_SESSION_TOKEN=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/aws_session_token)
echo "::add-mask::${AWS_SESSION_TOKEN}"
echo "AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}" >> "$GITHUB_ENV"
echo "AWS_REGION=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/region)" >> "$GITHUB_ENV"
echo "AWS_DEFAULT_REGION=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/default_region)" >> "$GITHUB_ENV"
shell: bash
- name: test auth is valid
run: aws sts get-caller-identity
shell: bash
@guitarrapc
Copy link
Author

Execution result.
image

@jost-kuenzel
Copy link

😄 awesome! Thank you 👍

@guitarrapc
Copy link
Author

Already fixed. You don't need this practice anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment