From 290a866e2d6be48ef95ccd18b873da6022d95b49 Mon Sep 17 00:00:00 2001 From: Laurence Armstrong Date: Fri, 24 Jan 2020 10:56:59 +0900 Subject: [PATCH 1/3] Set role credentials as secrets to mask them in logs --- index.js | 18 +++++++++++++++++- index.test.js | 4 ++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index ef4072fe7..605c7bcce 100644 --- a/index.js +++ b/index.js @@ -72,6 +72,22 @@ function exportCredentials(params){ } } +function exportRoleCredentials(params) { + // Unlike existing Github Actions secrets, role credentials will not automatically be masked in logs. + // Hence, this must be done explicitly. + exportCredentials(params); + maskCredentials(params); +} + +function maskCredentials(params) { + const {accessKeyId, secretAccessKey, sessionToken} = params; + + // Setting these AWS credentails as secrets masks them in Github Actions logs + core.setSecret('AWS_ACCESS_KEY_ID', accessKeyId); + core.setSecret('AWS_SECRET_ACCESS_KEY', secretAccessKey); + core.setSecret('AWS_SESSION_TOKEN', sessionToken); +} + function exportRegion(region) { // AWS_DEFAULT_REGION and AWS_REGION: // Specifies the AWS Region to send requests to @@ -106,7 +122,7 @@ async function run() { const roleCredentials = await assumeRole( {accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds} ); - exportCredentials(roleCredentials); + exportRoleCredentials(roleCredentials); } else { exportCredentials({accessKeyId, secretAccessKey, sessionToken}); } diff --git a/index.test.js b/index.test.js index cf5ca3aa1..f995106fa 100644 --- a/index.test.js +++ b/index.test.js @@ -171,9 +171,13 @@ describe('Configure AWS Credentials', () => { await run(); expect(mockStsAssumeRole).toHaveBeenCalledTimes(1); expect(core.exportVariable).toHaveBeenCalledTimes(5); + expect(core.setSecret).toHaveBeenCalledTimes(4); expect(core.exportVariable).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', FAKE_STS_ACCESS_KEY_ID); + expect(core.setSecret).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', FAKE_STS_ACCESS_KEY_ID); expect(core.exportVariable).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', FAKE_STS_SECRET_ACCESS_KEY); + expect(core.setSecret).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', FAKE_STS_SECRET_ACCESS_KEY); expect(core.exportVariable).toHaveBeenCalledWith('AWS_SESSION_TOKEN', FAKE_STS_SESSION_TOKEN); + expect(core.setSecret).toHaveBeenCalledWith('AWS_SESSION_TOKEN', FAKE_STS_SESSION_TOKEN); expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', FAKE_REGION); expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', FAKE_REGION); expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', FAKE_ACCOUNT_ID); From 8dfcf286966eaa2e0f340ee60bc3cae2b6f00408 Mon Sep 17 00:00:00 2001 From: Laurence Armstrong Date: Tue, 28 Jan 2020 11:17:40 +0900 Subject: [PATCH 2/3] Always set aws credentuals as secrets --- index.js | 24 ++++++------------------ index.test.js | 11 ++++++++++- 2 files changed, 16 insertions(+), 19 deletions(-) diff --git a/index.js b/index.js index 605c7bcce..e6b2bff86 100644 --- a/index.js +++ b/index.js @@ -54,40 +54,28 @@ async function assumeRole(params) { } function exportCredentials(params){ - // Configure the AWS CLI and AWS SDKs using environment variables + // Configure the AWS CLI and AWS SDKs using environment variables and set them as secrets + // Setting the credentails as secrets masks them in Github Actions logs const {accessKeyId, secretAccessKey, sessionToken} = params; // AWS_ACCESS_KEY_ID: // Specifies an AWS access key associated with an IAM user or role core.exportVariable('AWS_ACCESS_KEY_ID', accessKeyId); + core.setSecret('AWS_ACCESS_KEY_ID', accessKeyId); // AWS_SECRET_ACCESS_KEY: // Specifies the secret key associated with the access key. This is essentially the "password" for the access key. core.exportVariable('AWS_SECRET_ACCESS_KEY', secretAccessKey); + core.setSecret('AWS_SECRET_ACCESS_KEY', secretAccessKey); // AWS_SESSION_TOKEN: // Specifies the session token value that is required if you are using temporary security credentials. if (sessionToken) { core.exportVariable('AWS_SESSION_TOKEN', sessionToken); + core.setSecret('AWS_SESSION_TOKEN', sessionToken); } } -function exportRoleCredentials(params) { - // Unlike existing Github Actions secrets, role credentials will not automatically be masked in logs. - // Hence, this must be done explicitly. - exportCredentials(params); - maskCredentials(params); -} - -function maskCredentials(params) { - const {accessKeyId, secretAccessKey, sessionToken} = params; - - // Setting these AWS credentails as secrets masks them in Github Actions logs - core.setSecret('AWS_ACCESS_KEY_ID', accessKeyId); - core.setSecret('AWS_SECRET_ACCESS_KEY', secretAccessKey); - core.setSecret('AWS_SESSION_TOKEN', sessionToken); -} - function exportRegion(region) { // AWS_DEFAULT_REGION and AWS_REGION: // Specifies the AWS Region to send requests to @@ -122,7 +110,7 @@ async function run() { const roleCredentials = await assumeRole( {accessKeyId, secretAccessKey, sessionToken, region, roleToAssume, roleDurationSeconds} ); - exportRoleCredentials(roleCredentials); + exportCredentials(roleCredentials); } else { exportCredentials({accessKeyId, secretAccessKey, sessionToken}); } diff --git a/index.test.js b/index.test.js index f995106fa..9db2f8df9 100644 --- a/index.test.js +++ b/index.test.js @@ -97,9 +97,13 @@ describe('Configure AWS Credentials', () => { await run(); expect(mockStsAssumeRole).toHaveBeenCalledTimes(0); expect(core.exportVariable).toHaveBeenCalledTimes(5); + expect(core.setSecret).toHaveBeenCalledTimes(4); expect(core.exportVariable).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', FAKE_ACCESS_KEY_ID); + expect(core.setSecret).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', FAKE_ACCESS_KEY_ID); expect(core.exportVariable).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', FAKE_SECRET_ACCESS_KEY); + expect(core.setSecret).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', FAKE_SECRET_ACCESS_KEY); expect(core.exportVariable).toHaveBeenCalledWith('AWS_SESSION_TOKEN', FAKE_SESSION_TOKEN); + expect(core.setSecret).toHaveBeenCalledWith('AWS_SESSION_TOKEN', FAKE_SESSION_TOKEN); expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', FAKE_REGION); expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', FAKE_REGION); expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', FAKE_ACCOUNT_ID); @@ -115,8 +119,11 @@ describe('Configure AWS Credentials', () => { await run(); expect(mockStsAssumeRole).toHaveBeenCalledTimes(0); expect(core.exportVariable).toHaveBeenCalledTimes(4); + expect(core.setSecret).toHaveBeenCalledTimes(3); expect(core.exportVariable).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', FAKE_ACCESS_KEY_ID); + expect(core.setSecret).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', FAKE_ACCESS_KEY_ID); expect(core.exportVariable).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', FAKE_SECRET_ACCESS_KEY); + expect(core.setSecret).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', FAKE_SECRET_ACCESS_KEY); expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', 'eu-west-1'); expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', 'eu-west-1'); expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', FAKE_ACCOUNT_ID); @@ -133,11 +140,13 @@ describe('Configure AWS Credentials', () => { expect(mockStsAssumeRole).toHaveBeenCalledTimes(0); expect(core.exportVariable).toHaveBeenCalledTimes(4); expect(core.exportVariable).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', FAKE_ACCESS_KEY_ID); + expect(core.setSecret).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', FAKE_ACCESS_KEY_ID); expect(core.exportVariable).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', FAKE_SECRET_ACCESS_KEY); + expect(core.setSecret).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', FAKE_SECRET_ACCESS_KEY); expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', 'us-east-1'); expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', 'us-east-1'); expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', FAKE_ACCOUNT_ID); - expect(core.setSecret).toHaveBeenCalledTimes(0); + expect(core.setSecret).toHaveBeenCalledTimes(2); }); test('error is caught by core.setFailed and caught', async () => { From 754678e28f7f8fdc0c4aea384aacc3afe3dca600 Mon Sep 17 00:00:00 2001 From: Laurence Armstrong Date: Tue, 28 Jan 2020 11:20:36 +0900 Subject: [PATCH 3/3] Fix typo in comment --- index.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index e6b2bff86..744f8eacd 100644 --- a/index.js +++ b/index.js @@ -54,8 +54,8 @@ async function assumeRole(params) { } function exportCredentials(params){ - // Configure the AWS CLI and AWS SDKs using environment variables and set them as secrets - // Setting the credentails as secrets masks them in Github Actions logs + // Configure the AWS CLI and AWS SDKs using environment variables and set them as secrets. + // Setting the credentials as secrets masks them in Github Actions logs const {accessKeyId, secretAccessKey, sessionToken} = params; // AWS_ACCESS_KEY_ID: