Various fixes

Remove file-based env vars
Add support for session credentials
Add account ID as an output
Remove testing actions workflow

Author: clareliguori

.github/workflows/test.yml

@@ -1,10 +1,6 @@
 ## "Configure AWS Credentials" Action For GitHub Actions
 
-Configure AWS credential environment variables for use in other GitHub Actions.
-
-<a href="https://github.com/aws/configure-aws-credentials-for-github-actions"><img alt="GitHub Actions status" src="https://github.com/aws/configure-aws-credentials-for-github-actions/workflows/test-local/badge.svg"></a>
-
-This action adds configuration required by [the AWS CLI](https://aws.amazon.com/cli/) for use in subsequent actions.
+Configure AWS credential and region environment variables for use in other GitHub Actions.  The environment variables will be detected by both the AWS SDKs and the AWS CLI to determine the credentials and region to use for AWS API calls.
 
 ## Usage
 
@@ -16,10 +12,18 @@ Add the following step to your workflow:
       with:
         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        aws-default-region: us-east-2
-        aws-default-output: json
+        aws-region: us-east-2
 ```
 
+## Credentials
+
+We recommend following [Amazon IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) for the AWS credentials used in GitHub Actions workflows, including:
+* Do not store credentials in your repository's code.  You may use [GitHub Actions secrets](https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables) to store credentials and redact credentials from GitHub Actions workflow logs.
+* [Create an individual IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) with an access key for use in GitHub Actions workflows, preferably one per repository. Do not use the AWS account root user access key.
+* [Grant least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) to the credentials used in GitHub Actions workflows.  Grant only the permissions required to perform the actions in your GitHub Actions workflows.
+* [Rotate the credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials) used in GitHub Actions workflows regularly.
+* [Monitor the activity](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#keep-a-log) of the credentials used in GitHub Actions workflows.
+
 ## License Summary
 
 This code is made available under the MIT license.

README.md

@@ -1,19 +1,21 @@
-name: 'Setup AWS'
-description: 'Setup an AWS CLI compatible environment'
+name: '"Configure AWS Credentials" Action For GitHub Actions'
+description: 'Configure AWS credential and region environment variables for use with the AWS CLI and AWS SDKs'
 inputs:
   aws-access-key-id:
-    description: 'Your AWS access key id credential'
+    description: 'AWS Access Key ID'
     required: true
   aws-secret-access-key:
-    description: 'Your AWS secret access key credential'
+    description: 'AWS Secret Access Key'
     required: true
-  aws-default-region:
-    description: 'Default AWS region, e.g. us-east-2'
-    required: true
-  aws-default-output:
-    description: 'Default output format, e.g. json'
+  aws-session-token:
+    description: 'AWS Session Token'
     required: false
-    default: json
+  aws-region:
+    description: 'AWS Region, e.g. us-east-2'
+    required: true
+outputs:
+  aws-account-id:
+    description: 'The AWS account ID for the provided credentials'
 runs:
   using: 'node12'
   main: 'dist/index.js'

action.js

@@ -1,20 +1,15 @@
-const path = require('path');
 const core = require('@actions/core');
-const io = require('@actions/io');
+const aws = require('aws-sdk');
 
 async function run() {
   try {
     // Get inputs
     const accessKeyId = core.getInput('aws-access-key-id', { required: true });
     const secretAccessKey = core.getInput('aws-secret-access-key', { required: true });
-    const defaultRegion = core.getInput('aws-default-region', { required: true });
-    const outputFormat = core.getInput('aws-default-output', { required: false });
-    const awsHome = path.join(process.env.RUNNER_TEMP, '.aws');
+    const region = core.getInput('aws-region', { required: true });
+    const sessionToken = core.getInput('aws-session-token', { required: false });
 
-    // Ensure awsHome is a directory that exists
-    await io.mkdirP(awsHome);
-
-    // Configure the AWS CLI using environment variables
+    // Configure the AWS CLI and AWS SDKs using environment variables
 
     // AWS_ACCESS_KEY_ID:
     // Specifies an AWS access key associated with an IAM user or role
@@ -24,21 +19,22 @@ async function run() {
     // Specifies the secret key associated with the access key. This is essentially the "password" for the access key.
     core.exportVariable('AWS_SECRET_ACCESS_KEY', secretAccessKey);
 
-    // AWS_DEFAULT_REGION:
-    // Specifies the AWS Region to send requests to
-    core.exportVariable('AWS_DEFAULT_REGION', defaultRegion);
-
-    // AWS_DEFAULT_OUTPUT:
-    // Specifies the output format to use
-    core.exportVariable('AWS_DEFAULT_OUTPUT', outputFormat);
+    // AWS_SESSION_TOKEN:
+    // Specifies the session token value that is required if you are using temporary security credentials.
+    if (sessionToken) {
+      core.exportVariable('AWS_SESSION_TOKEN', sessionToken);
+    }
 
-    // AWS_CONFIG_FILE:
-    // Specifies the location of the file that the AWS CLI uses to store configuration profiles.
-    core.exportVariable('AWS_CONFIG_FILE', path.join(awsHome, 'config'));
-
-    // AWS_SHARED_CREDENTIALS_FILE:
-    // Specifies the location of the file that the AWS CLI uses to store access keys.
-    core.exportVariable('AWS_SHARED_CREDENTIALS_FILE', path.join(awsHome, 'credentials'));
+    // AWS_DEFAULT_REGION and AWS_REGION:
+    // Specifies the AWS Region to send requests to
+    core.exportVariable('AWS_DEFAULT_REGION', region);
+    core.exportVariable('AWS_REGION', region);
+
+    // Get the AWS account ID
+    const sts = new aws.STS();
+    const identity = await sts.getCallerIdentity().promise();
+    const accountId = identity.Account;
+    core.setOutput('aws-account-id', accountId);
   }
   catch (error) {
     core.setFailed(error.message);

action.yml

@@ -1,12 +1,19 @@
 const core = require('@actions/core');
-const io = require('@actions/io');
 
 const run = require('.');
 
 jest.mock('@actions/core');
-jest.mock('@actions/io');
 
-describe('Setup AWS', () => {
+const mockStsCallerIdentity = jest.fn();
+jest.mock('aws-sdk', () => {
+    return {
+        STS: jest.fn(() => ({
+            getCallerIdentity: mockStsCallerIdentity
+        }))
+    };
+});
+
+describe('Configure AWS Credentials', () => {
 
     beforeEach(() => {
         jest.clearAllMocks();
@@ -16,38 +23,48 @@ describe('Setup AWS', () => {
             .mockReturnValueOnce('MY-AWS-ACCESS-KEY-ID')     // aws-access-key-id
             .mockReturnValueOnce('MY-AWS-SECRET-ACCESS-KEY') // aws-secret-access-key
             .mockReturnValueOnce('us-east-2')                // aws-default-region
-            .mockReturnValueOnce('json');                    // aws-default-output
+            .mockReturnValueOnce('MY-AWS-SESSION-TOKEN');    // aws-session-token
+
+        mockStsCallerIdentity.mockImplementation(() => {
+            return {
+                promise() {
+                   return Promise.resolve({ Account: '123456789012' });
+                }
+            };
+        });
     });
 
     test('exports env vars', async () => {
         await run();
-        expect(core.exportVariable).toHaveBeenCalledTimes(6);
+        expect(core.exportVariable).toHaveBeenCalledTimes(5);
         expect(core.exportVariable).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', 'MY-AWS-ACCESS-KEY-ID');
         expect(core.exportVariable).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', 'MY-AWS-SECRET-ACCESS-KEY');
+        expect(core.exportVariable).toHaveBeenCalledWith('AWS_SESSION_TOKEN', 'MY-AWS-SESSION-TOKEN');
         expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', 'us-east-2');
-        expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_OUTPUT', 'json');
-        expect(core.exportVariable).toHaveBeenCalledWith('AWS_CONFIG_FILE', '/runner/home/.aws/config');
-        expect(core.exportVariable).toHaveBeenCalledWith('AWS_SHARED_CREDENTIALS_FILE', '/runner/home/.aws/credentials');
+        expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', 'us-east-2');
+        expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '123456789012');
     });
 
-    test('aws can be configured for a different region', async () => {
+    test('session token is optional', async () => {
         core.getInput = jest
             .fn()
             .mockReturnValueOnce('MY-AWS-ACCESS-KEY-ID')     // aws-access-key-id
             .mockReturnValueOnce('MY-AWS-SECRET-ACCESS-KEY') // aws-secret-access-key
-            .mockReturnValueOnce('eu-west-1')                // aws-default-region
-            .mockReturnValueOnce('json');                    // aws-default-output
+            .mockReturnValueOnce('eu-west-1');               // aws-default-region
 
         await run();
+        expect(core.exportVariable).toHaveBeenCalledTimes(4);
+        expect(core.exportVariable).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', 'MY-AWS-ACCESS-KEY-ID');
+        expect(core.exportVariable).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', 'MY-AWS-SECRET-ACCESS-KEY');
         expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', 'eu-west-1');
+        expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', 'eu-west-1');
+        expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '123456789012');
     });
 
     test('error is caught by core.setFailed', async () => {
-        io.mkdirP = jest
-            .fn()
-            .mockImplementation(() => {
-                throw new Error();
-            });
+        mockStsCallerIdentity.mockImplementation(() => {
+            throw new Error();
+        });
 
         await run();