fix: reverting update to use new API

README.md

@@ -152,7 +152,7 @@ Resources:
     Condition: CreateOIDCProvider
     Properties:
       Url: https://vstoken.actions.githubusercontent.com
-      ClientIdList: ['sts.amazonaws.com']
+      ClientIdList: [sigstore]
       ThumbprintList: [a031c46782e6e6c662c2c87c76da9aa62ccabd8e]
 
 Outputs:

index.js

@@ -3,6 +3,7 @@ const aws = require('aws-sdk');
 const assert = require('assert');
 const fs = require('fs');
 const path = require('path');
+const axios = require('axios');
 
 // The max time that a GitHub action is allowed to run is 6 hours.
 // That seems like a reasonable default to use if no role duration is defined.
@@ -184,6 +185,21 @@ async function exportAccountId(maskAccountId, region) {
   return accountId;
 }
 
+async function getWebIdentityToken() {
+  const isDefined = i => !!i;
+  const {ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN} = process.env;
+
+  assert(
+      [ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN].every(isDefined),
+      'Missing required environment value. Are you running in GitHub Actions?'
+  );
+  const { data } = await axios.get(`${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=sigstore`, {
+    headers: {"Authorization": `bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}`}
+    }
+  );
+  return data.value;
+}
+
 function loadCredentials() {
   // Force the SDK to re-resolve credentials with the default provider chain.
   //
@@ -287,7 +303,7 @@ async function run() {
     let sourceAccountId;
     let webIdentityToken;
     if(useGitHubOIDCProvider()) {
-      webIdentityToken = await core.getIDToken('sts.amazonaws.com');
+      webIdentityToken = await getWebIdentityToken();
       roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || DEFAULT_ROLE_DURATION_FOR_OIDC_ROLES;
       // We don't validate the credentials here because we don't have them yet when using OIDC.
     } else {

index.test.js

@@ -2,8 +2,10 @@ const core = require('@actions/core');
 const assert = require('assert');
 const aws = require('aws-sdk');
 const run = require('./index.js');
+const axios = require('axios');
 
 jest.mock('@actions/core');
+jest.mock("axios");
 
 const FAKE_ACCESS_KEY_ID = 'MY-AWS-ACCESS-KEY-ID';
 const FAKE_SECRET_ACCESS_KEY = 'MY-AWS-SECRET-ACCESS-KEY';
@@ -89,12 +91,6 @@ describe('Configure AWS Credentials', () => {
             .fn()
             .mockImplementation(mockGetInput(DEFAULT_INPUTS));
 
-        core.getIDToken = jest
-            .fn()
-            .mockImplementation(() => {
-                return "testtoken"
-            });
-
         mockStsCallerIdentity.mockReset();
         mockStsCallerIdentity
             .mockReturnValueOnce({
@@ -575,6 +571,7 @@ describe('Configure AWS Credentials', () => {
     test('only role arn and region provided to use GH OIDC Token', async () => {
         process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'test-token';
         process.env.ACTIONS_ID_TOKEN_REQUEST_URL = 'https://www.example.com/token/endpoint';
+        axios.get.mockImplementation(() => Promise.resolve({ data: {value: "testtoken"} }));
         core.getInput = jest
             .fn()
             .mockImplementation(mockGetInput({'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION}));
@@ -595,6 +592,7 @@ describe('Configure AWS Credentials', () => {
         const CUSTOM_ROLE_DURATION = 1234;
         process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'test-token';
         process.env.ACTIONS_ID_TOKEN_REQUEST_URL = 'https://www.example.com/token/endpoint';
+        axios.get.mockImplementation(() => Promise.resolve({ data: {value: "testtoken"} }));
         core.getInput = jest
             .fn()
             .mockImplementation(mockGetInput({'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION, 'role-duration-seconds': CUSTOM_ROLE_DURATION}));