From 9e84dee07d68b123a2e8764dcf075eab445997cd Mon Sep 17 00:00:00 2001 From: dsotirakis Date: Fri, 29 Nov 2024 16:55:34 +0200 Subject: [PATCH] Add action - expect to trigger check --- actions/aws-auth-new/CHANGELOG.md | 34 ++++++ actions/aws-auth-new/README.md | 115 +++++++++++++++++++++ actions/aws-auth-new/action.yaml | 74 +++++++++++++ actions/aws-auth-new/resolve-aws-region.sh | 25 +++++ 4 files changed, 248 insertions(+) create mode 100644 actions/aws-auth-new/CHANGELOG.md create mode 100644 actions/aws-auth-new/README.md create mode 100644 actions/aws-auth-new/action.yaml create mode 100755 actions/aws-auth-new/resolve-aws-region.sh diff --git a/actions/aws-auth-new/CHANGELOG.md b/actions/aws-auth-new/CHANGELOG.md new file mode 100644 index 000000000..d93213b6e --- /dev/null +++ b/actions/aws-auth-new/CHANGELOG.md @@ -0,0 +1,34 @@ +# Changelog + +## 1.0.0 (2024-11-27) + + +### 🎉 Features + +* **actions:** Create `aws-auth` composite action ([#67](https://github.com/grafana/shared-workflows/issues/67)) ([49b9885](https://github.com/grafana/shared-workflows/commit/49b9885e467b0544c76602d4e8b8ee342f6ea96b)) +* **aws-auth:** add workflow_ref claim ([#227](https://github.com/grafana/shared-workflows/issues/227)) ([c0e3298](https://github.com/grafana/shared-workflows/commit/c0e329819eb62c2cfb5611a56289a2017066b1e7)) + + +### 🐛 Bug Fixes + +* **aws-auth:** make script executable ([#485](https://github.com/grafana/shared-workflows/issues/485)) ([dfa5e58](https://github.com/grafana/shared-workflows/commit/dfa5e58bc01ab959770bb57a434c63fceb9a0783)) +* **aws-auth:** no such file for resolve-aws-region.sh ([#492](https://github.com/grafana/shared-workflows/issues/492)) ([84db55e](https://github.com/grafana/shared-workflows/commit/84db55e4f41ce257b365f8236ea6b2ce849da236)) +* **aws-auth:** support checked out action mode ([#484](https://github.com/grafana/shared-workflows/issues/484)) ([67c54c7](https://github.com/grafana/shared-workflows/commit/67c54c781187c4cf4c03a937b2029e03e82c19e4)) + + +### 📝 Documentation + +* **aws auth:** Mention `event_name` in passed claims ([#144](https://github.com/grafana/shared-workflows/issues/144)) ([28a818b](https://github.com/grafana/shared-workflows/commit/28a818be69fe2838d577205e53c9e8c411e68e20)) +* **aws-auth action:** Add example of IAM role setup ([#72](https://github.com/grafana/shared-workflows/issues/72)) ([014f020](https://github.com/grafana/shared-workflows/commit/014f020ca34fedea0827998db586c87125a778eb)) +* **aws-auth action:** fix permissions typo in example ([#75](https://github.com/grafana/shared-workflows/issues/75)) ([27696f8](https://github.com/grafana/shared-workflows/commit/27696f87003ba95a885a222367934a2e5e25848d)) +* **aws-auth:** use ref instead of workflow_ref ([#456](https://github.com/grafana/shared-workflows/issues/456)) ([f0dd348](https://github.com/grafana/shared-workflows/commit/f0dd3480fa3e657d741dd9e8d9b999cfb61fc713)) + + +### 🤖 Continuous Integration + +* add workflow that lints shell scripts with ShellCheck ([#147](https://github.com/grafana/shared-workflows/issues/147)) ([570898e](https://github.com/grafana/shared-workflows/commit/570898eda6d4fb6c0e4d45a24bf9681c89a12aa6)) + + +### 🔧 Miscellaneous Chores + +* **deps:** update catnekaise/cognito-idpool-auth action to v1.0.2 ([#246](https://github.com/grafana/shared-workflows/issues/246)) ([a4c9c10](https://github.com/grafana/shared-workflows/commit/a4c9c10b1ed2b863ab85e1f655fc8dc960382271)) diff --git a/actions/aws-auth-new/README.md b/actions/aws-auth-new/README.md new file mode 100644 index 000000000..b3ac6cc35 --- /dev/null +++ b/actions/aws-auth-new/README.md @@ -0,0 +1,115 @@ +# aws-auth + +This is a composite GitHub Action used to authenticate and access resources in AWS. + +Example usage in a repository: + + + +```yaml +name: Authenticate to AWS +on: + pull_request: + +permissions: + id-token: write + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - id: aws-auth + uses: grafana/shared-workflows/actions/aws-auth@argo-lint-v1.0.0 + with: + aws-region: "us-west-1" + role-arn: "arn:aws:iam::366620023056:role/github-actions/s3-test-access" + pass-claims: "repository_owner, repository_name, job_workflow_ref, ref, event_name" + set-creds-in-environment: true + + - id: cat-file-from-s3-bucket + run: | + aws s3 cp 's3://grafanalabs-github-actions-test-repo/test.txt' 'test.txt' + cat 'test.txt' +``` + + + +## Inputs + + + +| Name | Type | Description | +| -------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `aws-region` | String | Specify AWS region to use that contain your resources (default: `us-east-2`) | +| `role-arn` | String | Specify custom workload role. Role ARN must be prefixed with `github-actions` e.g. `arn:aws:iam::366620023056:role/github-actions/s3-test-access` [^1] | +| `pass-claims` | String | `, `-separated list of [GitHub Actions claims](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) (session tags) to make available to `role-arn`. Currently supported claims (default): `"repository_owner, repository_name, job_workflow_ref, ref, event_name"` [^2] | +| `set-creds-in-environment` | Bool | Set environment variables for AWS CLI and SDKs (default: `true`) | +| `role-duration-seconds` | String | Role duration in seconds (default: `"3600"`) | + + + +[^1]: See [Setting up Workload Role](#setting-up-workload-role) for an example + +[^2]: GitHub OIDC token claims must be mapped to the Cognito Identity Pool before they can be used. If you would like to use a claim that is not listed, file an issue in this repo or reach out to `@platform-productivity` in `#platform`. + +This uses the [`cognito-idpool-auth`](https://github.com/catnekaise/cognito-idpool-auth) action to perform authentication with an Amazon Cognito Identity Pool using the GitHub Actions OIDC access token. + +## Setting up Workload Role + +IAM workload roles are used to grant permissions to AWS in a secure manner. From a workflow run, once authenticated, the role is granted temporary credentials to access AWS resources permitted by the associated IAM role and attached trust/permission policies. The following steps will guide you through the process of setting up an IAM workload role for read access to a single object in an S3 bucket. + +### Create IAM Role + +Ensure that the path is prefixed with `github-actions` when creating the role. The Cognito Identity Pool only allows authenticated roles that match the following naming pattern: `"arn:aws:iam::*:role/github-actions/*"`. + +The role should only be present in the account that contains the resources it needs to access. + +### Trust Policy + +This is where you provide additional constraints for when permissions are applied. The condition block can be customized as you see fit with additional [GitHub OIDC token claims](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) [^2]. + +As this defines which GitHub Actions runs are allowed to use the role's permissions, it is critical to make these configurations as precise as possible. Furthermore, all runs are limited to be triggered exclusively from repositories under `grafana/`, and it is not possible to exceed this restriction. + +In this case, permissions are only granted when the `job_workflow_ref` tag matches the workflow that initiated the action. + +Example trust policy: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::590183704419:role/github-actions-oidc-jump-role" + }, + "Action": ["sts:AssumeRole", "sts:TagSession"], + "Condition": { + "StringEquals": { + "aws:PrincipalTag/job_workflow_ref": "grafana//.github/workflows/@refs/heads/main" + } + } + } + ] +} +``` + +### Permissions Policy + +This is where you define the minimum permissions necessary to do a specific operation. + +Example permissions policy: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": ["s3:GetObject"], + "Resource": "arn:aws:s3:::grafanalabs-github-actions-${aws:PrincipalTag/repository_name}/*" + } + ] +} +``` diff --git a/actions/aws-auth-new/action.yaml b/actions/aws-auth-new/action.yaml new file mode 100644 index 000000000..3ce0765d4 --- /dev/null +++ b/actions/aws-auth-new/action.yaml @@ -0,0 +1,74 @@ +name: Authenticate to AWS +description: Authenticate to AWS from GitHub Actions via OpenID Connect + +inputs: + aws-region: + default: "us-east-2" + required: true + description: "AWS region" + role-arn: + default: "" + required: true + description: "ARN of workload role" + pass-claims: + default: "event_name, repository_owner, repository_name, job_workflow_ref, ref" + required: true + description: "`, `-separated claims from GitHub ID token to make available to `role-arn`" + set-creds-in-environment: + default: "true" + required: false + description: "Set environment variables for AWS CLI and SDKs" + role-duration-seconds: + default: "3600" + required: false + description: "Role duration in seconds" + checkout-actions-repository-path: + description: "The path in the filesystem where this repository has been checked out. This is mandatory for setups where executing this action inside a local clone of the repository." + +outputs: + aws_access_key_id: + description: "AWS Access Key Id" + value: ${{ steps.auth.outputs.aws_access_key_id }} + aws_secret_access_key: + description: "AWS Secret Access Key" + value: ${{ steps.auth.outputs.aws_secret_access_key }} + aws_session_token: + description: "AWS Session Name" + value: ${{ steps.auth.outputs.aws_session_token }} + aws_region: + description: "AWS Region" + value: ${{ steps.aws_region.outputs.value }} + cognito_identity_oidc_access_token: + description: "Cognito Identity OIDC Access Token" + value: ${{ steps.auth.outputs.cognito_identity_oidc_access_token }} + +runs: + using: composite + steps: + - id: auth + uses: catnekaise/cognito-idpool-auth@41fcec30f55c069bc59f5773077c37477c743bf6 # v1.0.2 + with: + cognito-identity-pool-id: "us-east-2:3a4bca79-07af-4921-a9fb-e21475708406" + auth-flow: "enhanced" + aws-region: "us-east-2" + audience: "github-actions-cognito-identity-pool" + aws-account-id: "590183704419" + chain-role-session-name: "GitHubActions" + chain-role-arn: "${{ inputs.role-arn }}" + chain-role-duration-seconds: "${{ inputs.role-duration-seconds }}" + chain-pass-claims: "${{ inputs.pass-claims }}" + chain-set-in-environment: "${{ inputs.set-creds-in-environment }}" + + - id: aws_region + shell: bash + env: + AWS_REGION: "${{ inputs.aws-region }}" + AWS_DEFAULT_REGION: "${{ inputs.aws-region }}" + REPOSITORY_PATH: "${{ inputs.checkout-actions-repository-path }}" + run: | + if [[ ! -z "${REPOSITORY_PATH}" ]]; then + cd ${REPOSITORY_PATH}/actions/aws-auth + else + cd "${{ github.action_path }}" + fi + ./resolve-aws-region.sh diff --git a/actions/aws-auth-new/resolve-aws-region.sh b/actions/aws-auth-new/resolve-aws-region.sh new file mode 100755 index 000000000..9ff78f403 --- /dev/null +++ b/actions/aws-auth-new/resolve-aws-region.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# Pulled from catnekaise/cognito-idpool-auth/action.yml +# https://github.com/catnekaise/cognito-idpool-auth/blob/83ae9e159de469b3acd87ecb361d6b5957ee35ae/action.yml#L192-L227 +value="" + +if [ -n "${AWS_REGION}" ] && [ -n "${AWS_DEFAULT_REGION}" ]; then + value="$AWS_REGION" +fi + +readonly value + +if [ -z "${value}" ]; then + echo 'Unable to resolve what AWS region to use' + exit 1 +fi + +# Some-effort validation of aws region +if echo "${value}" | grep -Eqv '^[a-z]{2}-[a-z]{4,9}-[0-9]$'; then + echo 'Resolved value for AWS region is invalid' + exit 1 +fi + +echo "value=${value}" >> "${GITHUB_OUTPUT}" +echo "AWS_REGION=${AWS_REGION}" >> "${GITHUB_ENV}" +echo "AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}" >> "${GITHUB_ENV}"