Action give warning about long term credentials when using InstanceRole permissions on self-hosted runners

[bplessis-swi]

Describe the bug

Hi,

We are using self-hosted runners within our AWS account, with InstanceRole level permissions that allow for AssumeRole to different deploy roles. There is no long-term AWS credentials, or at least not in the common sense.

Warning: To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. See https://s12d.com/gha-oidc-aws for more information.

Expected Behavior

No warning should show up

Current Behavior

A warning pop-up for each call to configure-aws-credentials in our workflows

Warning: To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect. See https://s12d.com/gha-oidc-aws for more information.

Reproduction Steps

Simply using configure-aws-credentials without any credentials

    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: ${{ env.AWS_REGION }}
        role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT }}:role/${{ inputs.role-name }}
        role-duration-seconds: ${{ inputs.aws-credential-timeout }}

Possible Solution

No response

Additional Information/Context

No response

[peterwoodworth]

Thanks, i hadn't considered this case. I'm also not sure at all how we could properly detect this. I suppose we could add an "acknowledge-warning" prop, but that requires the user to take a step they shouldn't have to. Will need to look into this

[manumbs]

@peterwoodworth I'm not sure about this, but perhaps you could validate the presence of the AWS_ROLE_ARN and/or AWS_WEB_IDENTITY_TOKEN_FILE environment variables

[bplessis-swi]

Why not triggering the warning only when aws-access-key-id and/or aws-secret-access-key are in use/have been provided to the action ?

[asinbow]

The corresponding code:

configure-aws-credentials/src/assumeRole.ts

Lines 59 to 64 in a4d9254

	if (!process.env['AWS_SESSION_TOKEN']) {
	core.warning(
	'To avoid using long-term AWS credentials, please update your workflows to authenticate using OpenID Connect.' +
	' See https://s12d.com/gha-oidc-aws for more information.'
	);
	}

And the pull request: #871
It checks the environment variable: "AWS_SESSION_TOKEN".

[ponkio-o]

I am facing a similar problem. I agree with @bplessis-swi

I think the case where it can be determined that long-term credentials are being used is when only aws-access-key-id and aws-secret-access-key are configured.

[peterwoodworth]

I don't work with this team anymore so I cannot provide a review/merge, @tim-finnigan could you look into this please? I think I had assumed these variables would always be filled if it gets to that point, but that might not be the case based on the above comments.