Skip to content

Commit

Permalink
Add action - expect to trigger check
Browse files Browse the repository at this point in the history
  • Loading branch information
dsotirakis committed Nov 29, 2024
1 parent 84f5137 commit 9e84dee
Show file tree
Hide file tree
Showing 4 changed files with 248 additions and 0 deletions.
34 changes: 34 additions & 0 deletions actions/aws-auth-new/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Changelog

## 1.0.0 (2024-11-27)


### 🎉 Features

* **actions:** Create `aws-auth` composite action ([#67](https://github.com/grafana/shared-workflows/issues/67)) ([49b9885](https://github.com/grafana/shared-workflows/commit/49b9885e467b0544c76602d4e8b8ee342f6ea96b))
* **aws-auth:** add workflow_ref claim ([#227](https://github.com/grafana/shared-workflows/issues/227)) ([c0e3298](https://github.com/grafana/shared-workflows/commit/c0e329819eb62c2cfb5611a56289a2017066b1e7))


### 🐛 Bug Fixes

* **aws-auth:** make script executable ([#485](https://github.com/grafana/shared-workflows/issues/485)) ([dfa5e58](https://github.com/grafana/shared-workflows/commit/dfa5e58bc01ab959770bb57a434c63fceb9a0783))
* **aws-auth:** no such file for resolve-aws-region.sh ([#492](https://github.com/grafana/shared-workflows/issues/492)) ([84db55e](https://github.com/grafana/shared-workflows/commit/84db55e4f41ce257b365f8236ea6b2ce849da236))
* **aws-auth:** support checked out action mode ([#484](https://github.com/grafana/shared-workflows/issues/484)) ([67c54c7](https://github.com/grafana/shared-workflows/commit/67c54c781187c4cf4c03a937b2029e03e82c19e4))


### 📝 Documentation

* **aws auth:** Mention `event_name` in passed claims ([#144](https://github.com/grafana/shared-workflows/issues/144)) ([28a818b](https://github.com/grafana/shared-workflows/commit/28a818be69fe2838d577205e53c9e8c411e68e20))
* **aws-auth action:** Add example of IAM role setup ([#72](https://github.com/grafana/shared-workflows/issues/72)) ([014f020](https://github.com/grafana/shared-workflows/commit/014f020ca34fedea0827998db586c87125a778eb))
* **aws-auth action:** fix permissions typo in example ([#75](https://github.com/grafana/shared-workflows/issues/75)) ([27696f8](https://github.com/grafana/shared-workflows/commit/27696f87003ba95a885a222367934a2e5e25848d))
* **aws-auth:** use ref instead of workflow_ref ([#456](https://github.com/grafana/shared-workflows/issues/456)) ([f0dd348](https://github.com/grafana/shared-workflows/commit/f0dd3480fa3e657d741dd9e8d9b999cfb61fc713))


### 🤖 Continuous Integration

* add workflow that lints shell scripts with ShellCheck ([#147](https://github.com/grafana/shared-workflows/issues/147)) ([570898e](https://github.com/grafana/shared-workflows/commit/570898eda6d4fb6c0e4d45a24bf9681c89a12aa6))


### 🔧 Miscellaneous Chores

* **deps:** update catnekaise/cognito-idpool-auth action to v1.0.2 ([#246](https://github.com/grafana/shared-workflows/issues/246)) ([a4c9c10](https://github.com/grafana/shared-workflows/commit/a4c9c10b1ed2b863ab85e1f655fc8dc960382271))
115 changes: 115 additions & 0 deletions actions/aws-auth-new/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
# aws-auth

This is a composite GitHub Action used to authenticate and access resources in AWS.

Example usage in a repository:

<!-- x-release-please-start-version -->

```yaml
name: Authenticate to AWS
on:
pull_request:

permissions:
id-token: write

jobs:
build:
runs-on: ubuntu-latest

steps:
- id: aws-auth
uses: grafana/shared-workflows/actions/[email protected]
with:
aws-region: "us-west-1"
role-arn: "arn:aws:iam::366620023056:role/github-actions/s3-test-access"
pass-claims: "repository_owner, repository_name, job_workflow_ref, ref, event_name"
set-creds-in-environment: true

- id: cat-file-from-s3-bucket
run: |
aws s3 cp 's3://grafanalabs-github-actions-test-repo/test.txt' 'test.txt'
cat 'test.txt'
```
<!-- x-release-please-end-version -->
## Inputs
<!-- markdownlint-disable no-space-in-code -->
| Name | Type | Description |
| -------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `aws-region` | String | Specify AWS region to use that contain your resources (default: `us-east-2`) |
| `role-arn` | String | Specify custom workload role. Role ARN must be prefixed with `github-actions` e.g. `arn:aws:iam::366620023056:role/github-actions/s3-test-access` [^1] |
| `pass-claims` | String | `, `-separated list of [GitHub Actions claims](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) (session tags) to make available to `role-arn`. Currently supported claims (default): `"repository_owner, repository_name, job_workflow_ref, ref, event_name"` [^2] |
| `set-creds-in-environment` | Bool | Set environment variables for AWS CLI and SDKs (default: `true`) |
| `role-duration-seconds` | String | Role duration in seconds (default: `"3600"`) |

<!-- markdownlint-restore -->

[^1]: See [Setting up Workload Role](#setting-up-workload-role) for an example

[^2]: GitHub OIDC token claims must be mapped to the Cognito Identity Pool before they can be used. If you would like to use a claim that is not listed, file an issue in this repo or reach out to `@platform-productivity` in `#platform`.

This uses the [`cognito-idpool-auth`](https://github.com/catnekaise/cognito-idpool-auth) action to perform authentication with an Amazon Cognito Identity Pool using the GitHub Actions OIDC access token.

## Setting up Workload Role

IAM workload roles are used to grant permissions to AWS in a secure manner. From a workflow run, once authenticated, the role is granted temporary credentials to access AWS resources permitted by the associated IAM role and attached trust/permission policies. The following steps will guide you through the process of setting up an IAM workload role for read access to a single object in an S3 bucket.

### Create IAM Role

Ensure that the path is prefixed with `github-actions` when creating the role. The Cognito Identity Pool only allows authenticated roles that match the following naming pattern: `"arn:aws:iam::*:role/github-actions/*"`.

The role should only be present in the account that contains the resources it needs to access.

### Trust Policy

This is where you provide additional constraints for when permissions are applied. The condition block can be customized as you see fit with additional [GitHub OIDC token claims](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) [^2].

As this defines which GitHub Actions runs are allowed to use the role's permissions, it is critical to make these configurations as precise as possible. Furthermore, all runs are limited to be triggered exclusively from repositories under `grafana/`, and it is not possible to exceed this restriction.

In this case, permissions are only granted when the `job_workflow_ref` tag matches the workflow that initiated the action.

Example trust policy:

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::590183704419:role/github-actions-oidc-jump-role"
},
"Action": ["sts:AssumeRole", "sts:TagSession"],
"Condition": {
"StringEquals": {
"aws:PrincipalTag/job_workflow_ref": "grafana/<REPO>/.github/workflows/<WORKFLOW_FILE>@refs/heads/main"
}
}
}
]
}
```

### Permissions Policy

This is where you define the minimum permissions necessary to do a specific operation.

Example permissions policy:

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::grafanalabs-github-actions-${aws:PrincipalTag/repository_name}/*"
}
]
}
```
74 changes: 74 additions & 0 deletions actions/aws-auth-new/action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
name: Authenticate to AWS
description: Authenticate to AWS from GitHub Actions via OpenID Connect

inputs:
aws-region:
default: "us-east-2"
required: true
description: "AWS region"
role-arn:
default: ""
required: true
description: "ARN of workload role"
pass-claims:
default: "event_name, repository_owner, repository_name, job_workflow_ref, ref"
required: true
description: "`, `-separated claims from GitHub ID token to make available to `role-arn`"
set-creds-in-environment:
default: "true"
required: false
description: "Set environment variables for AWS CLI and SDKs"
role-duration-seconds:
default: "3600"
required: false
description: "Role duration in seconds"
checkout-actions-repository-path:
description: "The path in the filesystem where this repository has been checked out. This is mandatory for setups where executing this action inside a local clone of the repository."

outputs:
aws_access_key_id:
description: "AWS Access Key Id"
value: ${{ steps.auth.outputs.aws_access_key_id }}
aws_secret_access_key:
description: "AWS Secret Access Key"
value: ${{ steps.auth.outputs.aws_secret_access_key }}
aws_session_token:
description: "AWS Session Name"
value: ${{ steps.auth.outputs.aws_session_token }}
aws_region:
description: "AWS Region"
value: ${{ steps.aws_region.outputs.value }}
cognito_identity_oidc_access_token:
description: "Cognito Identity OIDC Access Token"
value: ${{ steps.auth.outputs.cognito_identity_oidc_access_token }}

runs:
using: composite
steps:
- id: auth
uses: catnekaise/cognito-idpool-auth@41fcec30f55c069bc59f5773077c37477c743bf6 # v1.0.2
with:
cognito-identity-pool-id: "us-east-2:3a4bca79-07af-4921-a9fb-e21475708406"
auth-flow: "enhanced"
aws-region: "us-east-2"
audience: "github-actions-cognito-identity-pool"
aws-account-id: "590183704419"
chain-role-session-name: "GitHubActions"
chain-role-arn: "${{ inputs.role-arn }}"
chain-role-duration-seconds: "${{ inputs.role-duration-seconds }}"
chain-pass-claims: "${{ inputs.pass-claims }}"
chain-set-in-environment: "${{ inputs.set-creds-in-environment }}"

- id: aws_region
shell: bash
env:
AWS_REGION: "${{ inputs.aws-region }}"
AWS_DEFAULT_REGION: "${{ inputs.aws-region }}"
REPOSITORY_PATH: "${{ inputs.checkout-actions-repository-path }}"
run: |
if [[ ! -z "${REPOSITORY_PATH}" ]]; then
cd ${REPOSITORY_PATH}/actions/aws-auth
else
cd "${{ github.action_path }}"
fi
./resolve-aws-region.sh
25 changes: 25 additions & 0 deletions actions/aws-auth-new/resolve-aws-region.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#!/bin/sh
# Pulled from catnekaise/cognito-idpool-auth/action.yml
# https://github.com/catnekaise/cognito-idpool-auth/blob/83ae9e159de469b3acd87ecb361d6b5957ee35ae/action.yml#L192-L227
value=""

if [ -n "${AWS_REGION}" ] && [ -n "${AWS_DEFAULT_REGION}" ]; then
value="$AWS_REGION"
fi

readonly value

if [ -z "${value}" ]; then
echo 'Unable to resolve what AWS region to use'
exit 1
fi

# Some-effort validation of aws region
if echo "${value}" | grep -Eqv '^[a-z]{2}-[a-z]{4,9}-[0-9]$'; then
echo 'Resolved value for AWS region is invalid'
exit 1
fi

echo "value=${value}" >> "${GITHUB_OUTPUT}"
echo "AWS_REGION=${AWS_REGION}" >> "${GITHUB_ENV}"
echo "AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}" >> "${GITHUB_ENV}"

0 comments on commit 9e84dee

Please sign in to comment.