fix: validation logic throwing unwanted errors (#818)

* fix: throws error even when valid credentials are present

* fix: throws error when invalid credentials are present despite not wanting to use them

Author: peterwoodworth

Diff for: .github/workflows/tests-integ.yml

@@ -1,4 +1,4 @@
-name: Run tests
+name: Run Integ tests
 
 on:
   workflow_dispatch:
@@ -27,6 +27,33 @@ jobs:
           role-duration-seconds: 900
           role-session-name: IntegOidcAssumeRole
           role-external-id: ${{ secrets.SECRETS_OIDC_AWS_ROLE_EXTERNAL_ID }}
+  integ-oidc-env:
+    permissions:
+      contents: read
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [[self-hosted, linux-fargate], windows-latest, ubuntu-latest, macos-latest]
+        node: [14, 16, 18]
+    name: Run OIDC integ tests with existing invalid env vars
+    runs-on: ${{ matrix.os }}
+    env:
+      AWS_ACCESS_KEY_ID: dummyaccesskeyid
+      AWS_SECRET_ACCESS_KEY: dummysecretkey
+      AWS_SESSION_TOKEN: dummytoken
+    timeout-minutes: 30
+    steps:
+      - name: "Checkout repository"
+        uses: actions/checkout@v3
+      - name: Integ test for OIDC
+        uses: ./
+        with:
+          aws-region: us-west-2
+          role-to-assume: ${{ secrets.SECRETS_OIDC_AWS_ROLE_TO_ASSUME }}
+          role-duration-seconds: 900
+          role-session-name: IntegOidcAssumeRole
+          role-external-id: ${{ secrets.SECRETS_OIDC_AWS_ROLE_EXTERNAL_ID }}
   integ-access-keys:
     strategy:
       fail-fast: false

Diff for: dist/index.js

@@ -128,15 +128,13 @@ export async function run() {
       // the source credentials to already be masked as secrets
       // in any error messages.
       exportCredentials({ AccessKeyId, SecretAccessKey, SessionToken });
-    } else if (
-      !webIdentityTokenFile &&
-      !roleChaining &&
-      !(process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])
-    ) {
-      throw new Error('Could not determine how to assume credentials. Please check your inputs and try again.');
+    } else if (!webIdentityTokenFile && !roleChaining) {
+      // Proceed only if credentials can be picked up
+      await credentialsClient.validateCredentials();
+      sourceAccountId = await exportAccountId(credentialsClient, maskAccountId);
     }
 
-    if (AccessKeyId || roleChaining || (process.env['AWS_ACCESS_KEY_ID'] && process.env['AWS_SECRET_ACCESS_KEY'])) {
+    if (AccessKeyId || roleChaining) {
       // Validate that the SDK can actually pick up credentials.
       // This validates cases where this action is using existing environment credentials,
       // and cases where the user intended to provide input credentials but the secrets inputs resolved to empty strings.

Diff for: src/index.ts

@@ -202,7 +202,7 @@ describe('Configure AWS Credentials', () => {
     await run();
 
     expect(core.setFailed).toHaveBeenCalledWith(
-      'Could not determine how to assume credentials. Please check your inputs and try again.'
+      'Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers'
     );
   });
 
@@ -217,7 +217,7 @@ describe('Configure AWS Credentials', () => {
     await run();
 
     expect(core.setFailed).toHaveBeenCalledWith(
-      'Could not determine how to assume credentials. Please check your inputs and try again.'
+      'Credentials could not be loaded, please check your action inputs: Access key ID empty after loading credentials'
     );
   });
 
@@ -508,6 +508,7 @@ describe('Configure AWS Credentials', () => {
   });
 
   test('GH OIDC check fails if token is not set', async () => {
+    (fromEnv as jest.Mock).mockReset();
     process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = undefined;
     process.env['GITHUB_ACTIONS'] = 'true';
     jest.spyOn(core, 'getInput').mockImplementation(
@@ -524,7 +525,7 @@ describe('Configure AWS Credentials', () => {
         ' If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.'
     );
     expect(core.setFailed).toHaveBeenCalledWith(
-      'Could not determine how to assume credentials. Please check your inputs and try again.'
+      'Credentials could not be loaded, please check your action inputs: provider is not a function'
     );
   });