Support option to generate session token based on IAM User

[semora81]

New Issue description

I would like to use this action to generate a session token based on an IAM User. This can be done by using the GetSessionToken API call

Original Issue

Hi, i've been trying to get the aws credentials initialized for a job and then run a terraform init on a s3 backend for the terraform state.

after running the configure-aws-credentials action there is no AWS_SESSION_TOKEN set.

I dumped the env var to validate :

AWS_DEFAULT_REGION=ca-central-1
AWS_REGION=ca-central-1
AWS_SECRET_ACCESS_KEY=***
AWS_ACCESS_KEY_ID=***

so when I get to running terraform it tells me : Error: error configuring S3 Backend: IAM Role xxxxx cannot be assumed.

When I look at the code, the function exportCredentials is where this env variable is set but, it is only referenced in two locations.

1. inside the assume role context , called with :
   exportCredentials(roleCredentials);

2. early in the run function to export the accesKeyId and secretAccessKey env variables.

if I am not assuming a role, sessionToken is never initialized it seems and never exported.

am I missing something? pretty new to actions so any help will be appreciated!

[matanr-orca]

it's not working for me as well, it uses the local keys of the self hosted runner even if i give it custom ones :(

[peterwoodworth]

Can I get some clarification on how exactly you're trying to authenticate and what you're expecting the action to do? Please share your workflow file, thanks

[semora81]

Hi @peterwoodworth,

the authentication I was trying to do was fairly simple, it ended up having to be this :

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: ca-central-1
    role-to-assume: xxxxxxxxxx

- name: terraform format
  id: fmt
  run: terraform fmt -check -diff

- name: terraform init
  id: init
  run: terraform init -backend-config prod.hcl 

If I omitted the role-to-assume in the "with" section, it would not generate a valid authentication in the env variables that are required for using terraform afterwards in the workflow.

so in essence, if I am logging in with a simple username / password and not assuming any roles, then authentication would fail in the terraform init command.

in other words : the ouput from aws-actions/configure-aws-credentials@v1 for setting up the env is / was not complete when not assuming a role

in this example, the statefile is a file on a S3 bucket and a dynamo db is used for remote state locking

is this clearer ?

[peterwoodworth]

Thanks for the explanation @semora81,

We don't currently support setting the session token when using keys as your authentication method and not supplying a role. To support that, we would need to implement an option to use the GetSessionToken API call. This API call is AFAIK the only way to generate a non-federation session token without specifying a role.

For now if you need to use a session token to authenticate with terraform, you will need to specify a role to assume.

[semora81]

Yeah, assuming a role is what my code has ended up doing since I had opened this!

I think I remember doing it manually with the Amazon CLI or curl, and yes, I had to call the getsessiontoken api to get a session token back, and then set it up in env, so I could call terraform.

When I started this I had no role setup in the target account and I was trying to test with a service account we had setup in IAM.

Thanks for the update!