Add optional authorization token expiration input

[jvitammela]

Is your feature request related to a problem? Please describe.

I'm trying to launch a container in GitHub Actions and the image I want to use is in ECR. I find the default 12 hour authorization token expiration time of aws ecr get-login-password to be quite long for our use cases and checking the base64 encoded output of an aws-actions/amazon-ecr-login docker_password output would indicate that this action has the same 12 hour expiration. Considering that actions might be run multiple times per day and seemingly a new password is generated each time, this seems like we're generating a lot of overlapping tokens, which as far as I'm aware can't be manually (or automatically) revoked.

---

Describe the solution you'd like

I would like an input argument, something like auth-token-duration-minutes, where I can define in minutes how long the authorization token will be active. Eg:

 - name: Login to Amazon ECR
        uses: aws-actions/[email protected]
        with:
          auth-token-duration-minutes: '60'

Doesn't matter if it's seconds or minutes, whichever would be fine.

---

Describe alternatives you've considered

There are some alternative solutions, eg. https://dev.to/phouchens/github-actions-using-a-aws-ecr-image-as-a-container-38g, where a secondary job is used to update a repository/org secret in GitHub, which is run in a cron schedule. While this seems like a decent alternative, this requires you to use a separate GitHub PAT token (since GITHUB_TOKEN doesn't have access to secrets https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) and I don't think the current access control in GitHub PAT tokens is that great, most if the scopes seem fairly wide to me and you don't seem to be able to target them to specific repositories or specific secrets etc. Additionally I don't feel too comfortable that an action has the ability to manage secrets in the repo or the org, it seems to me that it allows anyone with write access to the repo the ability to change those secrets at will, which naturally doesn't seem great.

---

Additional context

#455 seems sort of related, but I think the logout helps in a single job scope, and not in cases where you might need to reuse the login token, best example being the previously described container job which uses ECR images.

Something similar is already present in the credentials configuration job (https://github.com/aws-actions/configure-aws-credentials), where one can set role-duration-seconds. This is great, but as far as I can tell the ECR password can be used independantly of roles, so the permission cannot be revoked via role access expiration.

Here is a stripped down and masked version of what I'm using:

jobs:
  fetch-ecr-credentials:
    runs-on: ubuntu-22.04

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ env.IAMROLE }}
          aws-region: ${{ env.REGION }}
          mask-aws-account-id: 'false'

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2
        with:
          mask-password: 'false'

    outputs:
      docker_username: ${{ steps.login-ecr.outputs.docker_username_000000000000_region_redacted }}
      docker_password: ${{ steps.login-ecr.outputs.docker_password_000000000000_region_redacted }}
  test-previous-task:
    needs:
      - fetch-ecr-credentials
    runs-on: ubuntu-22.04
    container:
      image: ${{ env.ECR_IMAGE_URL }}
      credentials:
        username: "${{ needs.fetch-ecr-credentials.outputs.docker_username }}"
        password: "${{ needs.fetch-ecr-credentials.outputs.docker_password }}"
    steps:
      - name: test
        run: |
          date
          whoami

While passing these secrets as outputs is far from fantastic, I like the ability of performing temporary authentications for each run rather than updating tokens via cron schedules every n hours. The problem is when I might be running this task a few times an hour, which means I'm generating tons of authorization tokens quite needlessly. I took a visual look at the generated password with this task in a private repository: (the output is in plain text so of course this should not be done in a public repo)

test-previous-task-shell:
    needs:
      - fetch-ecr-credentials
    runs-on: ubuntu-22.04
    steps:
      - name: test value
        run: |
          echo "${{ needs.fetch-ecr-credentials.outputs.docker_username }}"
          echo "${{ needs.fetch-ecr-credentials.outputs.docker_password }}"

The returned format of docker_password seems to be the exact same as with aws ecr get-login-password with the same 12h expiration.

Please let me know if I'm wrong with some of my points or if this is a duplicate.

EDIT: added some extra formatting, sorry for the wall of text