Skip to content

Commit df7d846

Browse files
allisaurusallisaurus
authored
fix: Mask assume role response in debug output (#102)
1 parent ad85e9c commit df7d846

File tree

3 files changed

+30
-8
lines changed

3 files changed

+30
-8
lines changed

dist/index.js

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

index.js

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -98,19 +98,19 @@ function exportCredentials(params){
9898

9999
// AWS_ACCESS_KEY_ID:
100100
// Specifies an AWS access key associated with an IAM user or role
101-
core.exportVariable('AWS_ACCESS_KEY_ID', accessKeyId);
102101
core.setSecret(accessKeyId);
102+
core.exportVariable('AWS_ACCESS_KEY_ID', accessKeyId);
103103

104104
// AWS_SECRET_ACCESS_KEY:
105105
// Specifies the secret key associated with the access key. This is essentially the "password" for the access key.
106-
core.exportVariable('AWS_SECRET_ACCESS_KEY', secretAccessKey);
107106
core.setSecret(secretAccessKey);
107+
core.exportVariable('AWS_SECRET_ACCESS_KEY', secretAccessKey);
108108

109109
// AWS_SESSION_TOKEN:
110110
// Specifies the session token value that is required if you are using temporary security credentials.
111111
if (sessionToken) {
112-
core.exportVariable('AWS_SESSION_TOKEN', sessionToken);
113112
core.setSecret(sessionToken);
113+
core.exportVariable('AWS_SESSION_TOKEN', sessionToken);
114114
} else if (process.env.AWS_SESSION_TOKEN) {
115115
// clear session token from previous credentials action
116116
core.exportVariable('AWS_SESSION_TOKEN', '');
@@ -129,10 +129,10 @@ async function exportAccountId(maskAccountId, region) {
129129
const sts = getStsClient(region);
130130
const identity = await sts.getCallerIdentity().promise();
131131
const accountId = identity.Account;
132-
core.setOutput('aws-account-id', accountId);
133132
if (!maskAccountId || maskAccountId.toLowerCase() == 'true') {
134133
core.setSecret(accountId);
135134
}
135+
core.setOutput('aws-account-id', accountId);
136136
return accountId;
137137
}
138138

index.test.js

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -594,4 +594,26 @@ describe('Configure AWS Credentials', () => {
594594
})
595595
});
596596

597+
test('masks variables before exporting', async () => {
598+
let maskedValues = [];
599+
const publicFields = ['AWS_REGION', 'AWS_DEFAULT_REGION'];
600+
core.setSecret.mockReset();
601+
core.setSecret.mockImplementation((secret) => {
602+
maskedValues.push(secret);
603+
});
604+
605+
core.exportVariable.mockReset();
606+
core.exportVariable.mockImplementation((name, value) => {
607+
if (!maskedValues.includes(value) && !publicFields.includes(name)) {
608+
throw new Error(value + " for variable " + name + " is not masked yet!");
609+
}
610+
});
611+
612+
core.getInput = jest
613+
.fn()
614+
.mockImplementation(mockGetInput(ASSUME_ROLE_INPUTS));
615+
616+
await run();
617+
});
618+
597619
});

0 commit comments

Comments
 (0)