New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple profiles #112
Comments
This would be extremely valuable for self-hosted runners where we have a single named user but it doesn't different things in different accounts |
Usecase: data "terraform_remote_state" "env-GLOBAL" { config = { To run the terraform scripts through Github Actions for such a use case, it would be very helpful if aws-actions/configure-aws-credentials provides a way to configure multiple profiles. |
I believe this fits the issue, we have a project with a specific AWS profile name used with serverless (helps developers segregate their AWS credentials across multipleprojects), it would be nice to allow specifying the profile name when storing the Access key and secret access key Currently we resort to the following - name: Add profile credentials to ~/.aws/credentials
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID --profile my-app-name
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY --profile my-app-name |
This could be made more concise: - name: Add profile credentials to ~/.aws/credentials
run: |
aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }} --profile my-app-name
aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} --profile my-app-name For anyone else who comes across this issue and is concerned about printing the secrets to the console. GitHub is redacting the output (source):
Well, here we're doing it kind of intentionally 🤷♂️ |
Extending @dennis-tra answer, you should also add: |
I'm having trouble figuring out exactly how this would work with this action. When people want this action to support multiple profiles, how would you expect it to accomplish that? What is a sample input you could provide? |
@peterwoodworth I think something like this would be ideal and simple:
To be honest, I think overall supporting profile configs would be great. We are currently emulating this with something like:
but this is fairly rudimentary |
I've created a draft of this (not fully integrated) in #557 It creates a If this is an approach you would be happy with, Im happy to finish the code and ready the PR. |
@rafaelfuchs-mb are you asking about my solution or which one? If you are talking about what I linked in #112 (comment), your workflow is not following my example, so it would not work. |
You can ignore my comment... I was looking for a solution for multiple profiles with terraform, but it looks like something else is not working... I was able to get access to multiple profiles using aws cli, so my problem is actually in the terraform side. If that's ok, I can delete my previous comment. |
@peterwoodworth let me know if the approach sounds good, so I can finalize the PR. |
@pecigonzalo thanks for your patience, I'm hopping off for the day but I'll take a look tomorrow |
@peterwoodworth @pecigonzalo any news regarding this issue and/or linked PR? |
I'm also interested in this functionality. We're building an action to synchronize RDS snapshots between multiple accounts, and it needs to access both accounts in the same workflow. |
Im waiting on feedback from Peter |
I created a PR to support this. Not sure or will be approved soon. In the meantime feel free to point to our branch and use it. |
I mean, thanks for also taking a stab at it, glad to so a finalized solution. I would say tho that it's a bit rude to open a new PR @GeertWille given I had an open PR and was proposing a solution, and you even asked a question on my PR on how it works. |
Euh woops, definitely didn't ment to step on toes here. I can close mine again. Just needed a working solution. If your PR works with only adding a config instead of config and credentials I think yours is better. Just didn't wanted to wait on feedback due to lack of activity here and I need to have this working. |
All good @GeertWille, you have a working and final solution so lets go with that. Since no feedback was given, I did not develop further (not the first time I had a PR left hanging after spending a while on it). Ill close mine, reference yours and see if we can get a merge. If I gather correctly, your PR writes the creds to the file even for OIDC, which is not necessary. As you can see in #112 (comment), you just have to configure eg. How I'm currently doing it.
|
Still have an issue in my PR. Since the credentials are always exported it looks like precedence is given to the environment vars instead of the config files. So if you define 2 profiles. The last exported credentials are saved on the environment and used. |
Yeah, I would not export env-vars when using profiles |
this works for me: use aws plugin to login:
setup profile with credentials from plugin - the plugin above automatically set credentials to env.*
|
@woon-werd, not sure if it's the same on |
I'm standing on the shoulders of giants with this, but here is something that I whipped up to meet my use case: https://github.com/marketplace/actions/configure-aws-profile |
ah yes. I hardcoded a few on them on my github actions. these are the useful things exported from the plugin: Just spotted them on the log line whenever the plugin finish its works. |
This solution WORKS. Thanks @mcblair I do still feel this should be part of this repo |
My use case was to create the profile which is being expected with the elastic beanstalk CLI which I'm using to deploy. In the latest v2 version of the plugin, this is ultimately what I got to work:
Thanks to all of the folks that commented above that steered me in this direction. |
Please, someone complete the work for this repo, from user side such API will be very needed and usable for terraform etc.
3 years of discussions and still nothing for seems like basic functionality... |
I need this too. When we deploy to production, we'd like to also configure the staging environment credentials under the "staging" profile, so that our tests can then explicitly use that profile. That way, it becomes easier to not accidentally run tests towards production. |
Amazing stuff @mcblair. Needed to be done. Hopefully, someone can review the good work @GeertWille did #633 |
We have a deployment that sprawls across multiple AWS accounts... it would be nice to be able to merge all of the tasks into a action. |
Really, more than 3 years 🤯 ... maybe @tim-finnigan can help moving this forward? |
Currently, I use a configuration file with
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ env.AWS_ROLE_ARN }}
- name: Configure AWS Profiles
run: |
mkdir ~/.aws
cp .github/workflows/aws_config/config ~/.aws/config
- run: aws --profile=a sts get-caller-identity
- run: aws --profile=b sts get-caller-identity |
Building on the work of @mcblair, I have published an action that handles all of this very cleanly, it continues to use the official Also documented is the case on how to use with some composite docker steps that you might have later in the chain. Dependabot is enabled so any updates to the official action will be updated here asap. We are already using this internally at my current org to manage multiple AWS Accounts in a single Job, specially important whenever there is coordinated cross-account steps. |
Is it possible to also setup multiple profiles which can be used?
The text was updated successfully, but these errors were encountered: