schmalz/shared-actions
15
0
Fork 0
Code Issues Pull requests 2 Releases Packages Activity Actions

Merge pull request 'refactor: update AWS configuration action and README' (#6) from refactor/aws-configure into main

Browse source 
Reviewed-on: #6
Reviewed-by: Markus.Opahle@schmalz.de <Markus.Opahle@schmalz.de>
This commit is contained in:
Michael.Seele@schmalz.de 2026-04-30 12:03:03 +00:00
commit a320b8a6f0
Signed by: schmalz-git.git.onstackit.cloud
GPG key ID: 569DFBE669A0D544
2 changed files with 10 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

3
aws-configure/README.md
View file

@ -7,13 +7,12 @@ Authenticate with AWS via OIDC and export credentials to the environment.
| Input | Required | Default | Description |
|-------|----------|---------|-------------|
| `role-arn` | Yes | | Full IAM role ARN |
| `aws-profile` | No | `default` | Profile name written to `~/.aws/config` |
| `region` | No | `eu-central-1` | AWS region |
## Usage
```yaml
- uses: schmalz/shared-actions/.github/actions/aws-configure@v1
- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/aws-configure@aws-configure-v1
with:
role-arn: arn:aws:iam::123456789012:role/my-role
```

41
aws-configure/action.yml
View file

@ -1,14 +1,10 @@
name: aws-configure
description: Authenticate with AWS via OIDC
description: Authenticate with AWS via OIDC and export credentials to the environment.
inputs:
role-arn:
description: Full IAM role ARN
description: Full IAM role ARN to assume via OIDC
required: true
aws-profile:
description: Profile name written to ~/.aws/config
required: false
default: default
region:
description: AWS region
required: false
@ -17,29 +13,10 @@ inputs:
runs:
using: composite
steps:
- run: |
OIDC_TOKEN=$(curl -sf \
-H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r .value)
CREDS=$(aws sts assume-role-with-web-identity \
--role-arn "$INPUT_ROLE_ARN" \
--role-session-name forgejo-ci \
--web-identity-token "$OIDC_TOKEN" \
--region "$INPUT_REGION" \
--query 'Credentials' --output json)
mkdir -p ~/.aws
echo "AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId)" >> $FORGEJO_ENV
echo "AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey)" >> $FORGEJO_ENV
echo "AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken)" >> $FORGEJO_ENV
echo "AWS_DEFAULT_REGION=$INPUT_REGION" >> $FORGEJO_ENV
if [ "$INPUT_AWS_PROFILE" != "default" ]; then
aws configure set aws_access_key_id "$(echo $CREDS | jq -r .AccessKeyId)" --profile "$INPUT_AWS_PROFILE"
aws configure set aws_secret_access_key "$(echo $CREDS | jq -r .SecretAccessKey)" --profile "$INPUT_AWS_PROFILE"
aws configure set aws_session_token "$(echo $CREDS | jq -r .SessionToken)" --profile "$INPUT_AWS_PROFILE"
aws configure set region "$INPUT_REGION" --profile "$INPUT_AWS_PROFILE"
fi
shell: bash
# Pinned to commit SHA instead of a tag to prevent supply chain attacks.
# aws-actions/configure-aws-credentials v6.1.0 — https://code.forgejo.org/aws-actions/configure-aws-credentials/commits/tag/v6
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37
with:
role-to-assume: ${{ inputs.role-arn }}
aws-region: ${{ inputs.region }}