Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
GitHub Actions to cache aws auth in each workflow run, then reuse in jobs. Workaround for https://github.com/aws-actions/configure-aws-credentials/issues/299.
name: aws oidc credential with cache
on:
workflow_dispatch:
push:
branches: ["main"]
pull_request:
branches: ["main"]
# github.job = job name
# github.run_id = unique id for workflow. re-run will use same id.
# github.run_attempt = incremented id for workflow. re-run will increment value.
env:
cache-key: GitHubActions-auth-${{ github.run_id }}-${{ github.run_attempt }}
jobs:
# auth aws only once a workflow
auth-aws:
permissions:
contents: write
id-token: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS Credentials
uses: ./.github/actions/aws_oidc_auth
with:
aws-region: ap-northeast-1
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GitHubActions-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
cache-key: ${{ env.cache-key }}
# even parallel use, aws auth will use cache.
# make sure OS is same as cached runner.
use-auth:
needs: [auth-aws]
strategy:
matrix:
name: ["a", "b", "c", "d", "e", "f", "g"]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS Credentials
uses: ./.github/actions/restore_aws_oidc_auth
with:
cache-key: ${{ env.cache-key }}
- name: get-caller-identity is allowed to run on role.
run: aws sts get-caller-identity
# .github/actions/aws_oidc_auth/action.yaml
name: aws oidc auth with cache
description: |
Get aws oidc auth and cache it.
This avoid AWS OIDC AssumeRoleWithWebIdentity parallel request issue.
Error: Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements
see: https://github.com/aws-actions/configure-aws-credentials/issues/299
inputs:
aws-region:
description: "AWS Region"
required: true
role-to-assume:
description: "AWS IAM Role to assume"
required: true
role-session-name:
description: "AWS IAM Role Session Name. Shown on CloudTrail"
required: true
cache-key:
description: "cache key. you must set this key to restore cache."
required: true
runs:
using: "composite" # this is key point
steps:
- name: Configure AWS Credentials
# must use "master", not "v1". v1 is not yet released to use latest role-to-assume.
# Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers
uses: aws-actions/configure-aws-credentials@master
with:
aws-region: ${{ inputs.aws-region }}
role-to-assume: ${{ inputs.role-to-assume }}
role-session-name: ${{ inputs.role-session-name }}
role-duration-seconds: 900 # minimum: 900sec, maximum: iam role session duration
- name: gen auth file
shell: bash
run: |
echo "::group::test auth is valid"
aws sts get-caller-identity
echo "::endgroup::"
mkdir -p ~/.aws/${{ inputs.cache-key }}/
echo "${{ env.AWS_ACCESS_KEY_ID }}" > ~/.aws/${{ inputs.cache-key }}/aws_access_key_id
echo "${{ env.AWS_SECRET_ACCESS_KEY }}" > ~/.aws/${{ inputs.cache-key }}/aws_secret_access_key
echo "${{ env.AWS_SESSION_TOKEN }}" > ~/.aws/${{ inputs.cache-key }}/aws_session_token
echo "${{ env.AWS_REGION }}" > ~/.aws/${{ inputs.cache-key }}/region
echo "${{ env.AWS_DEFAULT_REGION }}" > ~/.aws/${{ inputs.cache-key }}/default_region
- name: Cache aws auth
uses: actions/cache@v2
with:
path: |
~/.aws/${{ inputs.cache-key }}
key: ${{ inputs.cache-key }}
# .github/actions/restore_aws_oidc_auth/action.yaml
name: restore aws oidc auth from cache
description: |
restore aws oidc auth from cache
inputs:
cache-key:
description: "cache key to restore"
required: true
runs:
using: "composite"
steps:
- name: Restore aws auth
uses: actions/cache@v2
id: cache-aws
with:
path: |
~/.aws/${{ inputs.cache-key }}
key: ${{ inputs.cache-key }}
- name: Is Cache Hit
shell: bash
run: echo "cache hit? ${{ steps.cache-aws.outputs.cache-hit }}"
- name: Restore ENV
run: |
set -e
AWS_ACCESS_KEY_ID=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/aws_access_key_id)
echo "::add-mask::${AWS_ACCESS_KEY_ID}"
echo "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}" >> "$GITHUB_ENV"
AWS_ACCESS_KEY_ID=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/aws_secret_access_key)
echo "::add-mask::${AWS_ACCESS_KEY_ID}"
echo "AWS_SECRET_ACCESS_KEY=${AWS_ACCESS_KEY_ID}" >> "$GITHUB_ENV"
AWS_SESSION_TOKEN=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/aws_session_token)
echo "::add-mask::${AWS_SESSION_TOKEN}"
echo "AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}" >> "$GITHUB_ENV"
echo "AWS_REGION=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/region)" >> "$GITHUB_ENV"
echo "AWS_DEFAULT_REGION=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/default_region)" >> "$GITHUB_ENV"
shell: bash
- name: test auth is valid
run: aws sts get-caller-identity
shell: bash
@guitarrapc

This comment has been minimized.

Copy link
Owner Author

@guitarrapc guitarrapc commented Nov 5, 2021

Execution result.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment