feat: Allow audience to be explicitly specified

alblue · alblue · commit a86f57e83880 · 2022-01-17T15:14:14.000Z
The default audience for the GitHub OIDC uses sts.amazonaws.com, but there are
situations when it would be desirable to allow different audience names to be
used instead. Allow this to be specified as an argument to the action.
diff --git a/README.md b/README.md
@@ -101,6 +101,7 @@ The following table describes which identity is used based on which values are s
         aws-region: us-east-2
         role-to-assume: arn:aws:iam::123456789100:role/my-github-actions-role
         role-session-name: MySessionName
+        audience: sts.amazonaws.com
 ```
 In this example, the Action will load the OIDC token from the GitHub-provided environment variable and use it to assume the role `arn:aws:iam::123456789100:role/my-github-actions-role` with the session name `MySessionName`.
 
diff --git a/action.yml b/action.yml
@@ -22,6 +22,9 @@ inputs:
   aws-region:
     description: 'AWS Region, e.g. us-east-2'
     required: true
+  audience:
+    description: 'The audience to use for the OIDC provider'
+    required: false
   mask-aws-account-id:
     description: >-
       Whether to set the AWS account ID for these credentials as a secret value,
diff --git a/index.js b/index.js
@@ -13,12 +13,14 @@ const MAX_TAG_VALUE_LENGTH = 256;
 const SANITIZATION_CHARACTER = '_';
 const ROLE_SESSION_NAME = 'GitHubActions';
 const REGION_REGEX = /^[a-z0-9-]+$/g;
+const DEFAULT_AUDIENCE = 'sts.amazonaws.com';
 
 async function assumeRole(params) {
   // Assume a role to get short-lived credentials using longer-lived credentials.
   const isDefined = i => !!i;
 
   const {
+    audience,
     sourceAccountId,
     roleToAssume,
     roleExternalId,
@@ -240,6 +242,7 @@ async function run() {
   try {
     // Get inputs
     const accessKeyId = core.getInput('aws-access-key-id', { required: false });
+    const audience = core.getInput('audience', { required: false }) || DEFAULT_AUDIENCE;
     const secretAccessKey = core.getInput('aws-secret-access-key', { required: false });
     const region = core.getInput('aws-region', { required: true });
     const sessionToken = core.getInput('aws-session-token', { required: false });
@@ -287,7 +290,7 @@ async function run() {
     let sourceAccountId;
     let webIdentityToken;
     if(useGitHubOIDCProvider()) {
-      webIdentityToken = await core.getIDToken('sts.amazonaws.com');
+      webIdentityToken = await core.getIDToken(audience);
       roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || DEFAULT_ROLE_DURATION_FOR_OIDC_ROLES;
       // We don't validate the credentials here because we don't have them yet when using OIDC.
     } else {
