Merge pull request #237 from babbel/make-aws-credential-input-optional

Make AWS credential inputs optional

.github/workflows/test.yml

@@ -6,6 +6,10 @@ on:
       - main
       - 'releases/*'
 
+env:
+  AWS_ACCESS_KEY_ID: aws-access-key-id
+  AWS_SECRET_ACCESS_KEY: aws-secret-access-key
+
 jobs:
   # unit tests
   units:

CHANGELOG.md

@@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.2.0] - 2022-05-26
+
+### Changed
+- Make inputs for AWS credentials optional, allowing the AWS SDK to find the credentials via its built-in auto-discovery.
+
 ## [1.1.0] - 2021-06-28
 ### Added
 - Ability to provide custom commit sha. Useful when build is based on different commit sha that triggered the build.

README.md

@@ -11,38 +11,52 @@ All `AWS_` secrets should be already set and ready to use.
 ### Standalone project example
 
 ```yaml
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   name_of_the_job:
     #
     # ...
     #
     steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}      
       #
       # ... build & publish the artifact
       #
       - uses: babbel/publish-build-metadata@v1
         with:
-          access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           meta_table_arn: ${{ secrets.AWS_META_TABLE_ARN }}
 ```
 
 ### Microverse example, all slices at once
 
 ```yaml
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   name_of_the_job:
     #
     # ...
     #
     steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}      
       #
       # ... build & publish the artifact
       #
       - uses: babbel/publish-build-metadata@v1
         with:
-          access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           meta_table_arn: ${{ secrets.AWS_META_TABLE_ARN }}
           slices: 'api, consumer.kinesis, consumer.firehose'
 ```
@@ -52,19 +66,26 @@ jobs:
 For example in case you have jobs matrix.
 
 ```yaml
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   name_of_the_job:
     #
     # ...
     #
     steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}      
       #
       # ... build & publish the artifact
       #
       - uses: babbel/publish-build-metadata@v1
         with:
-          access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           meta_table_arn: ${{ secrets.AWS_META_TABLE_ARN }}
           slices: 'api' # or ${{ matrix.function_name }}
 ```
@@ -76,39 +97,53 @@ Sometimes you might trigger an automatic build which fetches a different branch.
 In such case you can override `GITHUB_SHA` by passing extra parameter:
 
 ```yaml
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   name_of_the_job:
     #
     # ...
     #
     steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}      
       #
       # ... build & publish the artifact
       #
       - uses: babbel/publish-build-metadata@v1
         with:
-          access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           meta_table_arn: ${{ secrets.AWS_META_TABLE_ARN }}
           sha: ${{ env.MY_CUSTOM_COMMIT_SHA }}
 ```
 
 Usually with above it will be handy to be able to specify the branch name as well, so the full example would look like:
 
 ```yaml
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   name_of_the_job:
     #
     # ...
     #
     steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}      
       #
       # ... build & publish the artifact
       #
       - uses: babbel/publish-build-metadata@v1
         with:
-          access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           meta_table_arn: ${{ secrets.AWS_META_TABLE_ARN }}
           sha: ${{ env.MY_CUSTOM_COMMIT_SHA }}
           branch: ${{ env.MY_CUSTOM_BRANCH }}

action.yml

@@ -4,10 +4,12 @@ description: 'Collects build artifacts metadata and publishes them to DynamoDB'
 inputs:
   access_key_id:
     description: 'AWS_ACCESS_KEY_ID'
-    required: true
+    required: false
+    default: null
   secret_access_key:
     description: 'AWS_SECRET_ACCESS_KEY'
-    required: true
+    required: false
+    default: null
   meta_table_arn:
     description: 'DynamoDB metadata table ARN'
     required: true

index.js

@@ -12,11 +12,16 @@ async function run() {
       core.getInput('branch'),
     );
 
+    const accessKeyId = core.getInput('access_key_id');
+    const secretAccessKey = core.getInput('secret_access_key');
+    const credentials = accessKeyId && secretAccessKey
+      ? { accessKeyId, secretAccessKey }
+      : null;
+
     const result = await publishPayload(
-      core.getInput('access_key_id', { required: true }),
-      core.getInput('secret_access_key', { required: true }),
       core.getInput('meta_table_arn', { required: true }),
       payload,
+      credentials,
     );
 
     if (result['$metadata'].httpStatusCode !== 200) {

publish.js

@@ -1,10 +1,10 @@
 const { DynamoDBClient } = require('@aws-sdk/client-dynamodb');
 const { DynamoDBDocumentClient, PutCommand } = require('@aws-sdk/lib-dynamodb');
 
-async function publishPayload(accessKeyId, secretAccessKey, tableArn, payload){
+async function publishPayload(tableArn, payload, credentials = null) {
   const region = tableArn.split(':')[3];
   const table = tableArn.split('/')[1];
-  const client = ddbClient(accessKeyId, secretAccessKey, region);
+  const client = ddbClient(region, credentials);
   const docClient = DynamoDBDocumentClient.from(client);
 
   return docClient.send(new PutCommand({
@@ -13,15 +13,15 @@ async function publishPayload(accessKeyId, secretAccessKey, tableArn, payload){
   }));
 }
 
-function ddbClient(accessKeyId, secretAccessKey, region) {
+function ddbClient(region, credentials = null) {
   let options = {
-    region,
-    credentials: {
-      accessKeyId,
-      secretAccessKey,
-    }
+    region
   };
 
+  if (credentials != null) {
+    options.credentials = credentials;
+  }
+
   const endpoint = process.env.AWS_ENDPOINT_URL;
 
   if (typeof endpoint == 'string' && endpoint !== '') {

publish.test.js

@@ -5,8 +5,6 @@ const { publishPayload, ddbClient } = require('./publish');
 
 const TABLE_NAME = 'metadata';
 const TABLE_ARN = `arn:aws:dynamodb:local:000000000000:table/${TABLE_NAME}`;
-const ACCESS_KEY_ID = 'aws-access-key-id';
-const SECRET_ACCESS_KEY = 'aws-secret-access-key';
 const REGION = 'local';
 const PAYLOAD = {
   commit_branch: 'main',
@@ -33,7 +31,7 @@ afterEach(async () => {
 
 
 test('content should be published', async () => {
-  const publishResult = await publishPayload(ACCESS_KEY_ID, SECRET_ACCESS_KEY, TABLE_ARN, PAYLOAD);
+  const publishResult = await publishPayload(TABLE_ARN, PAYLOAD);
 
   expect(publishResult['$metadata'].httpStatusCode).toEqual(200);
 
@@ -56,7 +54,7 @@ test('content should be published', async () => {
 // Test Helpers
 //
 function client() {
-  return ddbClient(ACCESS_KEY_ID, SECRET_ACCESS_KEY, REGION);
+  return ddbClient(REGION);
 }
 
 async function createDynamoDBTable() {