How AWS Credentials works at GitHub Actions?

Question

At my unit tests, I'm using aws-sdk to test the SES, which needs some credentials, we are facing a problem to access the secrets with GitHub Actions.

At beginning I was trying to set the values to ~/.aws/credentials using the run command from github workflows:

# .github/workflows/nodejs.yml
steps:
  ...
  - name: Unit Test
    run: |
      mkdir -p ~/.aws
      touch ~/.aws/credentials

      echo "[default]
      aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }}
      aws_secret_access_key = ${{ secrets.AWS_SECRET_KEY_ID }}
      region = ${AWS_DEFAULT_REGION}

      [github]
      role_arn = arn:aws:iam::{accountID}:role/{role}
      source_profile = default" > ~/.aws/credentials 

      npm test
    env:
      AWS_DEFAULT_REGION: us-east-1
      CI: true

Originally my test file:

// ses.test.js
const AWS = require("aws-sdk")
const credentials = new AWS.SharedIniFileCredentials({ profile: "github" })
AWS.config.update({ credentials })
...

I tried to use another way to get credentials at my tests like, and also doesn't work:

const AWS = require("aws-sdk")
const credentials = new AWS.ChainableTemporaryCredentials({
  params: {RoleArn: "arn:aws:iam::{accountID}:role/{role}"},
  masterCredentials: new AWS.EnvironmentCredentials("AWS")
)}

AWS.config.update({ credentials })

Finally I tried to create an Action customized (using actions js library like: @actions/core, @actions/io, @actions/exec), to get the AWS env values and set it at ~/.aws/credentials, but also doesn't work as expected

One way that worked was exposing AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (without use GitHub Actions secrets, not ideal, for security purposes)

Someone has any ideas how AWS credentials could work at GitHub Actions with secrets ?

Thanks a lot for your attention.

Answer 1

Luckily the aws-sdk should automatically detect credentials set as environment variables and use them for requests

To get access to secrets in your action, you need to set them in the repo. Then you can expose them to the step as an env var.

For more details see GitHub Encrypted secrets

1. On GitHub, navigate to the main page of the repository
2. Under your repository name, click the ⚙ Settings tab
3. Repository settings button
4. In the left sidebar, click Secrets
5. Type a name for your secret in the "Name" input box
6. Type the value for your secret
7. Click Add secret

In your case you will want to add secrets for both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Now that those are set you can pass those values into the action via the workflow yaml:

steps:
...
- name: Unit Test
  uses: ...
  env:
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  run: ...

Answer 2

Take a look at: https://github.com/aws-actions/configure-aws-credentials

It allows you to configure AWS credential and region environment variables for use in other GitHub Actions. The environment variables will be detected by both the AWS SDKs and the AWS CLI to determine the credentials and region to use for AWS API calls.