Multiple AWS credentials per workflow

[j]

How can I specify two different aws credentials (accounts) for a build? I want to be able to deploy to separate aws accounts (staging / production).

[tj]

I think you'd have to filter on the branches you want, then create two different deployment actions in order to tweak config

[j]

Yeah, I was going to go this route. I wasn't sure how multiple workflow files worked. I wish when you filter, you can choose to close the entire workflow execution or just cancel the branch, so I can start with a filter and continue with a branch.

[j]

I'm going through this, and creating a new workflow and using "AWS_ACCESS_KEY_ID" or "AWS_SECRET_ACCESS_KEY" secrets don't let me reset the value. Secrets are persisted for the entire action area... :(

[tj]

ah damn, that's kind of lame, otherwise yeah you could have two concurrent filters for the two branches and do it that way, hmm... haha

[j]

@tj exactly. actions is pretty amazing, they still have a long way to go. Even if I could do "secrets per branch" type of thing, that'd be cool.

I finally got a successful SAM + "staging" branch deploy, so I'm going to test a production one today and hope to knock it out.

My current solution is storing the AWS credentials file as a secret "AWS_CREDENTIALS", running a plain bash action to create a .aws/credentials file within my repository, and setting the SAM to use it.

action "create aws credentials" {
  uses = "actions/bin/sh@master"
  needs = "filter staging branch"
  secrets = ["AWS_CREDENTIALS"]
  args = ["rm -rf ${GITHUB_WORKSPACE}/.aws && mkdir ./.aws && echo \"$AWS_CREDENTIALS\" >> ${GITHUB_WORKSPACE}/.aws/credentials"]
}

action "staging sam package" {
  uses = "apex/actions/aws/sam@master"
  needs = "create aws credentials"
  args = "package --profile example-${NODE_ENV} --template-file template.yml --output-template-file template-packaged.yml --s3-bucket example-${NODE_ENV}"
  env = {
    NODE_ENV = "staging"
    AWS_SHARED_CREDENTIALS_FILE = "${GITHUB_WORKSPACE}/.aws/credentials"
  }
}

This way worked, just need to copy paste (😭) and change things to production. I was hoping I could create an action and dynamically set the NODE_ENV variable to have it all be non-copy/pasta, but it doesn't save env variables throughout.

[pavan-shipmnts]

@j did creating two action workflows work for you?
I'm still confused on how to load a separate AwS profile for prod and staging.

[tj]

@pavan-shipmnts its been a while now, I forget haha, I think it worked but I don't use GH Actions since I work solo, there might be a better way to approach environments now that GH Actions is more mature

[gerjunior]

You can use the AWS CLI to create multiple profiles:

- name: Set AWS Credentials
        run: |
          aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }} --profile firstProfile
          aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} --profile firstProfile
          aws configure set region ${ secrets.AWS_DEFAULT_REGION} --profile firstProfile
          aws_assume=($(aws sts assume-role \
              --role-arn "arn:aws:iam::${accountId}:role/${roleName}" \
              --role-session-name "${roleSessionName}" \
              --profile firstProfile \
              --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \
              --output text))
          aws configure set aws_access_key_id "${aws_assume[0]}" --profile secondProfile
          aws configure set aws_secret_access_key "${aws_assume[1]}"  --profile secondProfile
          aws configure set aws_session_token "${aws_assume[2]}"  --profile secondProfile

You can use the --profile ${name} flag in basically every aws command. After your set those credentials, just pass the flag with the name you want for each command.