Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When login with AWS session token, username is redundant, but it is required by action from v1.5 #19

Closed
MartinSolie opened this issue Oct 19, 2020 · 3 comments · Fixed by #21
Closed

When login with AWS session token, username is redundant, but it is required by action from v1.5 #19

MartinSolie opened this issue Oct 19, 2020 · 3 comments · Fixed by #21
Labels
kind/bug

Comments

@MartinSolie
Copy link

Behaviour

We are generating one-time login AWS tokens in our Actions workflow.

Theoretically, we don't need aws_access_key_id and aws_secret_access_key. We need only aws_session_token to login into ECR because it has all needed for AWS information.

In practice:

  • docker/login-action <1.5: it worked fine to run the action without username, just passing registry url and aws_session_token as password
  • docker/login-action >=1.5: the action validates presence of username param, which we don't have.

Steps to reproduce this issue

  1. Generate aws_session_token
  2. Pass it to docker/login-action in password param, set registry param to be ecr url.
  3. Run Action @v1.5.0

Expected behaviour

Docker gets logged into ECR.

Actual behaviour

Error: Input required and not supplied: username

Configuration

# ...
# Previously we've generated AWS_SESSION_TOKEN using 3rd party tool (Okta)

- name: Extract AWS session token by profile name
  id: get_aws_credentials
  run: |
    AWS_SESSION_TOKEN=`python -c 'from boto3 import Session; print(Session().get_credentials().get_frozen_credentials().token)'`
    echo "::add-mask::$AWS_SESSION_TOKEN"
    echo "::set-output name=token::$AWS_SESSION_TOKEN

- name: Login into ECR
  uses: docker/login-action@v1.5.0
  with:
    registry: ${{ steps.get_ecr_url.outputs.ecr_url }}
    password: ${{ steps.get_aws_credentials.outputs.token }}
# ...
@crazy-max
Copy link
Member

crazy-max commented Oct 19, 2020
edited

@MartinSolie

docker/login-action <1.5: it worked fine to run the action without username

Actually, username was already required since 1.4.0 because we're using --password-stdin which requires --username so I don't think it worked for <1.5.

Theoretically, we don't need aws_access_key_id and aws_secret_access_key. We need only aws_session_token to login into ECR because it has all needed for AWS information.

Are you on a self hosted runner? Because I don't see how python -c 'from boto3 import Session; print(Session().get_credentials().get_frozen_credentials().token)' can return a token. But we could solved this through #20.

Can you give me your entire workflow? Do you have a link to your repo?

@crazy-max crazy-max mentioned this issue Oct 20, 2020
Merged
@crazy-max
Copy link
Member

crazy-max commented Oct 20, 2020
edited

@MartinSolie

Actually, username was already required since 1.4.0 because we're using --password-stdin which requires --username so I don't think it worked for <1.5.

My bad about this one, login against ECR is actually handled through AWS CLI. Will be fixed through #21.

@MartinSolie
Copy link
Author

Yeah, python script just extracts aws_session_token from previously generated ~/.aws/credentials file.

Thanks you a lot for a fast response !)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Handle AWS credentials
2 participants
@crazy-max @MartinSolie