https://github.com/saml-to/assume-aws-role-action Skip to content Sign up * Why GitHub? + Features + Mobile + Actions + Codespaces + Packages + Security + Code review + Issues + Integrations + GitHub Sponsors + Customer stories * Team * Enterprise * Explore + Explore GitHub + Learn and contribute + Topics + Collections + Trending + Learning Lab + Open source guides + Connect with others + The ReadME Project + Events + Community forum + GitHub Education + GitHub Stars program * Marketplace * Pricing + Plans + Compare plans + Contact Sales + Education [ ] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this organization All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} saml-to / assume-aws-role-action Public * Notifications * Fork 3 * Star 50 * Assume AWS IAM Roles using SAML.to in GitHub Actions Apache-2.0 License 50 stars 3 forks Star Notifications * Code * Issues 0 * Pull requests 0 * Discussions * Actions * Security * Insights More * Code * Issues * Pull requests * Discussions * Actions * Security * Insights Use this GitHub Action with your project Add this Action to an existing workflow or create a new one. View on Marketplace main Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags 1 branch 47 tags Code Latest commit GitHub Action CI: Prerelease: 1.0.5-1 ... ade50a0 Jan 18, 2022 CI: Prerelease: 1.0.5-1 ade50a0 Git stats * 127 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .github/workflows regular deps Jan 7, 2022 .scaffoldly Update services.json Jan 9, 2022 .vscode assume aws roles Jan 7, 2022 dist CI: Prerelease: 1.0.5-1 Jan 18, 2022 src api configuration Jan 18, 2022 .eslintrc.json assume aws roles Jan 7, 2022 .gitignore assume aws roles Jan 7, 2022 .openapis CI: Prerelease: 1.0.5-0 Jan 18, 2022 .prettierrc assume aws roles Jan 7, 2022 FAQS.md update readme Jan 18, 2022 LICENSE assume aws roles Jan 7, 2022 README.md Fixe broken link to FAQs Jan 18, 2022 action.yml GITHUB_TOKEN as from env + README updates Jan 17, 2022 openapitools.json assume aws roles Jan 7, 2022 package.json CI: Prerelease: 1.0.5-1 Jan 18, 2022 tsconfig.json assume aws roles Jan 7, 2022 webpack.config.js assume aws roles Jan 7, 2022 yarn.lock regular deps Jan 7, 2022 View code [ ] assume-aws-role-action Usage Examples Configuration Inputs role (Required) region (Optional) provider (Optional) Outputs region accountId userId roleArn assumedRoleArn accessKeyId secretAccessKey sessionToken FAQs Maintainers Help & Support License README.md assume-aws-role-action GitHub release (latest by date) GitHub issues GitHub Workflow Status Gitter This action enables workflows to obtain AWS Access Credentials for a desired IAM Role using AWS IAM SAML and a GitHub Actions Repository Token. Benefits: * No need to copy/paste AWS Access Tokens into GitHub Secrets * No need to rotate AWS Access Tokens This action uses SAML.to and an AWS IAM Identity Provider to exchange a GitHub Actions Token for AWS Access Credentials. This action will set the following environment variables: * AWS_ACCESS_KEY_ID * AWS_SECRET_ACCESS_KEY * AWS_SESSION_TOKEN * AWS_DEFAULT_REGION Usage See action.yml steps: - uses: saml-to/assume-aws-role-action@v1 with: role: arn:aws:iam::123456789012:role/admin env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: aws sts get-caller-identity - run: aws ec2 describe-instances Examples See aws-assume-role-action-examples Configuration 1. Create a new SAML Identity Provider in AWS IAM 1. Provider Name: Repository Name (the name of the repository running the action) 2. Metadata Document: Download metadata from here. 3. Make note of the Provder ARN in the AWS console 2. Create or update the Trust Relationship on a new or existing IAM Role to contain the following: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "PROVIDER_ARN" }, "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" } } } ] } + Replace PROVIDER_ARN with the newly created ARN of the provider, e.g. arn:aws:iam::123456789012:saml-provider/ my-repository + Make note of the Role ARN for this Role 3. Add a new file named saml-to.yml to the repository that needs AWS Access Credentials during GitHub Actions: your-repository/saml-to.yml: --- version: "20220101" variables: awsProviderArn: "PROVIDER_ARN" awsRoleArn: "ROLE_ARN" providers: aws: entityId: https://signin.aws.amazon.com/saml acsUrl: https://signin.aws.amazon.com/saml attributes: https://aws.amazon.com/SAML/Attributes/RoleSessionName: "<#= repo.name #>" https://aws.amazon.com/SAML/Attributes/SessionDuration: "3600" https://aws.amazon.com/SAML/Attributes/Role: "<#= repo.selectedRole #>,<$= awsProviderArn $>" permissions: aws: roles: - name: <$= awsRoleArn $> self: true + Replace PROVIDER_ARN with the ARN of the provider created above (e.g. arn:aws:iam::123456689012:saml-provider/ my-repository) + Replace ROLE_ARN with the ARN of the IAM Role modified above. (e.g. arn:aws:iam::123456689012:role/admin) 4. Modify the GitHub Action Workflow to obtain AWS Access Credentials your-repository/.github/workflows/action-name.yml: jobs: prerelease: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 ... - uses: saml-to/assume-aws-role@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: role: "ROLE_ARN" ... + Replace ROLE_ARN with the ARN of the IAM Role modified above. (e.g. arn:aws:iam::123456689012:role/admin) Inputs role (Required) The ARN of the role to assume. This Role ARN must also be defined in the saml-to.yml configuration file under permissions. region (Optional) The AWS Region to use. This will also be set as the AWS_DEFAULT_REGION environment variable and the region output. Default: us-east-1 provider (Optional) If there are multiple provider entries in the saml-to.yml configuration file, set a specific provider. Note: If multiple providers are configured, and this is absent, the Action will fail. Default: `` (Empty String) Outputs region The AWS Region authenitcated with (default: us-east-1) Can be modified with the region input. This will also be set in the AWS_DEFAULT_REGION environment variable. accountId The AWS Account ID authenticated with (e.g. 123456789012) userId The ephemeral user ID (e.g. AROAYOAAAAAAAAAAAAAAA:my-repository) roleArn The ARN of the Role. It will be identical to the role input. assumedRoleArn The effective ARN of the Assumed Role (e.g. arn:aws:sts::123456789012:assumed-role/admin/my-repository) accessKeyId The generated AWS Access Key ID. This is also be set in the AWS_ACCESS_KEY_ID environment variable. secretAccessKey The generated AWS Secret Access Key. This is also be set in the AWS_SECRET_ACCESS_KEY environment variable. sessionToken The generated AWS Session Toke. This is also be set in the AWS_SESSION_TOKEN environment variable. FAQs See FAQs Maintainers * Scaffoldly * cnuss Help & Support * Message us on Gitter * Support via Twitter * Discussions License Apache-2.0 License [6874747073] About Assume AWS IAM Roles using SAML.to in GitHub Actions Topics aws saml aws-iam assume-role assume github-actions scaffoldly saml-to Resources Readme License Apache-2.0 License Stars 50 stars Watchers 0 watching Forks 3 forks Releases 5 1.0.4 Latest Jan 18, 2022 + 4 releases Contributors 2 * @cnuss cnuss Christian Nuss * @simonw simonw Simon Willison Languages * TypeScript 90.4% * JavaScript 9.6% * (c) 2022 GitHub, Inc. * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.