How AWS Credentials works at GitHub Actions With MFA

Question

Not able to create s3 bucket from terraform code to create s3 bucket. I have code

uses: hashicorp/terraform-github-actions/[email protected]
      env:
        TF_ACTION_WORKING_DIR: 'terraform'
        AWS_ACCESS_KEY_ID:  ${{ secrets.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY:  ${{ secrets.AWS_SECRET_ACCESS_KEY }}

It works wit my aws. But in my organisation wee use MFA for accounts. we used virtual token generator for MFA and has the keys and ARN.

Need help in generating token and role. IS it already in any library in githubactions.

I have this script to create aws token and role.

unset AWS_ACCESS_KEY_ID

unset AWS_SECRET_ACCESS_KEY

unset AWS_SESSION_TOKEN

export AWS_ACCESS_KEY_ID=<<YOUR_KEY>>

export AWS_SECRET_ACCESS_KEY=<<YOUR_SECRET>>

 

aws sts get-session-token --duration-seconds 36000 \

--serial-number arn:aws:iam::<<YOUR_IAM_ACCOUNT_NUMBER>>:mfa/<<YOUR_IAM_ACCOUNT>> \

--token-code <<YOUR_MFA_OTP>> \

--output json

 

export AWS_ACCESS_KEY_ID=<<GET_FROM_JSON>>

export AWS_SECRET_ACCESS_KEY=<<GET_FROM_JSON>>

export AWS_SESSION_TOKEN=<<GET_FROM_JSON>>


aws sts assume-role --role-arn arn:aws:iam::<<YOUR_DEV_ACCOUNT_NUMER>>:role/<<YOUR_ROLE>> \

--role-session-name <<YOUR_ROLE>> \

--duration 3600 \ --output json

 

export AWS_ACCESS_KEY_ID=<<GET_FROM_JSON>>

export AWS_SECRET_ACCESS_KEY=<<GET_FROM_JSON>>

export AWS_SESSION_TOKEN=<<GET_FROM_JSON>>

Need to do this in github actions.

We automated MFA token from Virtual MFA. like below:

                            export AWS_SECRET_ACCESS_KEY="${env.AWS_SECRET_ACCESS_KEY}"
                            MFA="\$(oathtool --base32 --totp ${env.MFA_KEY})"

so is there any easy way in github.

Answer 1

I think you're nearly there, you've already figured out how to use oathtool to do this. You just need to install oathtool in your GitHub Actions workflow and register your MFA key as a secret in your GitHub repository or (if you have the option on your plan) GitHub organization secrets.

If you're running on an Ubuntu container, installing oathtool as simple as adding the following step to your workflow job:

      - name: install oathtool
        run: sudo apt-get install -y oathtool

All the things in your post can be done in a GitHub Actions workflow, too, be it as simple shell commands. I'm not aware of any ready-built action that will do all of this for you (but nothing is stopping you from creating one yourself of course).

A full job might look like this (haven't tested this):

job:
  aws:
    runs-on: ubuntu-latest
    
    env:
      AWS_ACCOUNT_NUMBER: 12345678
      AWS_IAM_USER: me@mydomain
    
    steps:
      - name: install oathtool and jq
        run: sudo apt-get install -y oathtool jq
    
      - name: get time-based one-time password
        run: TOTP=`oathtool --base32 --totp ${{secrets.MFA_KEY})"`

      - name: get temporary session token
        run: >-
          eval `aws sts get-session-token 
                --duration-seconds 36000 
                --serial-number arn:aws:iam::${{ env.AWS_ACCOUNT_NUMBER }}:mfa/${{ env.AWS_IAM_USER }} 
                --token-code ${{env.TOTP}}
                | jq -r '"AWS_ACCESS_KEY_ID="+.Credentials.AccessKeyId,"AWS_SECRET_ACCESS_KEY="+.Credentials.SecretAccessKey,"AWS_SESSION_TOKEN="+.Credentials.SessionToken'`

      - name: do your AWS thing
        run: aws ec2 describe-instances

Answer 2

I have tested the above script for my use-case where I had to do mfa and then assume the role, for this I had to pass the keys as env variables and then use it in the action. Hope this helps anyone who is looking for this kind of authentication from Github actions.

''''

steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
  uses: actions/checkout@v2
  
- name: install oathtool and jq
  run: echo "${{secrets.RUNNER_PASSWORD}}" | sudo -S -k apt-get install -y oathtool jq 
 
- name: get token
  run: |
    TOTP="oathtool -b --totp ${{secrets.MFA_KEY}}" 
    $TOTP >> totp.output
    token=$(cat totp.output)
    eval `aws sts get-session-token --duration-seconds 36000 --serial-number ${{ secrets.MFA_ARN}} --token-code $token | (jq -r '"AWS_ACCESS_KEY_ID="+.Credentials.AccessKeyId,"AWS_SECRET_ACCESS_KEY="+.Credentials.SecretAccessKey,"AWS_SESSION_TOKEN="+.Credentials.SessionToken' >> $GITHUB_ENV)`
  
- name: Identity Check
  run: aws sts get-caller-identity  
  
- name: Assume execution role
  uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
    aws-region: us-east-1
    aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
    aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
    role-duration-seconds: 3000
    role-skip-session-tagging: true
    role-to-assume: "arn:aws:iam::${{secrets.AWS_ACCOUNT_ID}}:role/${{secrets.ROLE_NAME}}"

''''