-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathindex.js
119 lines (101 loc) · 3.94 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
'use strict';
const os = require('os');
const path = require('path');
const fsx = require('fs/promises');
const core = require('@actions/core');
const acc = require('@alicloud/credentials');
const CredentialClient = acc.default;
const Config = acc.Config;
const RAMRoleARNCredentialsProvider = acc.RAMRoleARNCredentialsProvider;
const EnvironmentVariableCredentialsProvider = acc.EnvironmentVariableCredentialsProvider;
const ROLE_SESSION_NAME = core.getInput('role-session-name', { required: false });
const roleToAssume = core.getInput('role-to-assume', { required: false });
const oidcProviderArn = core.getInput('oidc-provider-arn');
const roleSessionExpiration = core.getInput('role-session-expiration', { required: false });
const roleChainingInput = core.getInput('role-chaining', { required: false });
const roleChaining = roleChainingInput === 'true';
function setOutput(accessKeyId, accessKeySecret, securityToken) {
core.setSecret(accessKeyId);
core.setSecret(accessKeySecret);
core.setSecret(securityToken);
// use standard environment variables
core.exportVariable('ALIBABA_CLOUD_ACCESS_KEY_ID', accessKeyId);
core.exportVariable('ALIBABA_CLOUD_ACCESS_KEY_SECRET', accessKeySecret);
core.exportVariable('ALIBABA_CLOUD_SECURITY_TOKEN', securityToken);
core.exportVariable('ALICLOUD_ACCESS_KEY', accessKeyId);
core.exportVariable('ALICLOUD_SECRET_KEY', accessKeySecret);
core.exportVariable('ALICLOUD_SECURITY_TOKEN', securityToken);
// keep it for compatibility
core.exportVariable('ALIBABACLOUD_ACCESS_KEY_ID', accessKeyId);
core.exportVariable('ALIBABACLOUD_ACCESS_KEY_SECRET', accessKeySecret);
core.exportVariable('ALIBABACLOUD_SECURITY_TOKEN', securityToken);
}
async function run() {
if (roleChaining) {
if (!roleToAssume) {
throw new Error("'role-to-assume' must be provided if 'role-chaining' is provided");
}
const provider = RAMRoleARNCredentialsProvider.builder()
.withCredentialsProvider(EnvironmentVariableCredentialsProvider.builder().build())
.withRoleArn(roleToAssume)
.withRoleSessionName(ROLE_SESSION_NAME)
.withDurationSeconds(roleSessionExpiration)
.build();
{
const cred = new CredentialClient(null, provider);
const { accessKeyId, accessKeySecret, securityToken } = await cred.getCredential();
setOutput(accessKeyId, accessKeySecret, securityToken);
}
return;
}
if (roleToAssume && oidcProviderArn) {
const audience = core.getInput('audience');
const idToken = await core.getIDToken(audience);
const oidcTokenFilePath = path.join(os.tmpdir(), 'token');
// write into token file
await fsx.writeFile(oidcTokenFilePath, idToken);
const config = new Config({
type: 'oidc_role_arn',
roleArn: roleToAssume,
oidcProviderArn,
oidcTokenFilePath,
roleSessionExpiration,
roleSessionName: ROLE_SESSION_NAME
});
const client = new CredentialClient(config);
const { accessKeyId, accessKeySecret, securityToken } = await client.getCredential();
setOutput(accessKeyId, accessKeySecret, securityToken);
return;
}
const config = new Config({
type: 'ecs_ram_role'
});
const client = new CredentialClient(config);
const { accessKeyId, accessKeySecret, securityToken } = await client.getCredential();
if (roleToAssume) {
const config = new Config({
type: 'ram_role_arn',
accessKeyId,
accessKeySecret,
securityToken,
roleArn: roleToAssume,
roleSessionExpiration,
roleSessionName: ROLE_SESSION_NAME
});
{
const cred = new CredentialClient(config);
const { accessKeyId, accessKeySecret, securityToken } = await cred.getCredential();
setOutput(accessKeyId, accessKeySecret, securityToken);
}
return;
}
setOutput(accessKeyId, accessKeySecret, securityToken);
return;
}
if (require.main === module) {
run().catch((err) => {
console.log(err.stack);
core.setFailed(err.message);
});
}
exports.run = run;