feat: output ARN of authenticated prinicpal

kellertk · kellertk · commit f29e0d507d8a · 2025-08-02T19:48:54.000-07:00
Closes #1062 Closes #1191
diff --git a/src/helpers.ts b/src/helpers.ts
@@ -113,13 +113,16 @@ export async function exportAccountId(credentialsClient: CredentialsClient, mask
   const client = credentialsClient.stsClient;
   const identity = await client.send(new GetCallerIdentityCommand({}));
   const accountId = identity.Account;
-  if (!accountId) {
-    throw new Error('Could not get Account ID from STS. Did you set credentials?');
+  const arn = identity.Arn;
+  if (!accountId || !arn) {
+    throw new Error('Could not get Account ID or ARN from STS. Did you set credentials?');
   }
   if (maskAccountId) {
     core.setSecret(accountId);
+    core.setSecret(arn);
   }
   core.setOutput('aws-account-id', accountId);
+  core.setOutput('authenticated-arn', arn);
   return accountId;
 }
 
diff --git a/test/index.test.ts b/test/index.test.ts
@@ -47,7 +47,7 @@ describe('Configure AWS Credentials', {}, () => {
       expect(core.info).toHaveBeenCalledWith('Authenticated as assumedRoleId AROAFAKEASSUMEDROLEID');
       expect(core.info).toHaveBeenCalledTimes(2);
       expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '111111111111');
-      expect(core.setOutput).toHaveBeenCalledOnce();
+      expect(core.setOutput).toHaveBeenCalledTimes(2);
       expect(core.setSecret).toHaveBeenCalledWith('STSAWSACCESSKEYID');
       expect(core.setSecret).toHaveBeenCalledWith('STSAWSSECRETACCESSKEY');
       expect(core.setSecret).toHaveBeenCalledWith('STSAWSSESSIONTOKEN');
@@ -71,7 +71,7 @@ describe('Configure AWS Credentials', {}, () => {
       expect(core.info).toHaveBeenCalledWith('Authenticated as assumedRoleId AROAFAKEASSUMEDROLEID');
       expect(core.info).toHaveBeenCalledTimes(3);
       expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '111111111111');
-      expect(core.setOutput).toHaveBeenCalledOnce();
+      expect(core.setOutput).toHaveBeenCalledTimes(2);
       expect(core.setSecret).toHaveBeenCalledWith('STSAWSACCESSKEYID');
       expect(core.setSecret).toHaveBeenCalledWith('STSAWSSECRETACCESSKEY');
       expect(core.setSecret).toHaveBeenCalledWith('STSAWSSESSIONTOKEN');
@@ -106,7 +106,7 @@ describe('Configure AWS Credentials', {}, () => {
       expect(core.setSecret).toHaveBeenCalledWith('MYAWSSECRETACCESSKEY');
       expect(core.setSecret).toHaveBeenCalledTimes(2);
       expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '111111111111');
-      expect(core.setOutput).toHaveBeenCalledOnce();
+      expect(core.setOutput).toHaveBeenCalledTimes(2);
       expect(core.info).toHaveBeenCalledWith('Proceeding with IAM user credentials');
       expect(core.info).toHaveBeenCalledOnce();
       expect(core.setFailed).not.toHaveBeenCalled();
@@ -140,7 +140,7 @@ describe('Configure AWS Credentials', {}, () => {
       expect(core.setSecret).toHaveBeenCalledWith('MYAWSSECRETACCESSKEY');
       expect(core.setSecret).toHaveBeenCalledTimes(5);
       expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '111111111111');
-      expect(core.setOutput).toHaveBeenCalledTimes(2);
+      expect(core.setOutput).toHaveBeenCalledTimes(4);
       expect(core.info).toHaveBeenCalledWith('Assuming role with user credentials');
       expect(core.info).toHaveBeenCalledWith('Authenticated as assumedRoleId AROAFAKEASSUMEDROLEID');
       expect(core.info).toHaveBeenCalledTimes(2);
@@ -173,7 +173,7 @@ describe('Configure AWS Credentials', {}, () => {
       expect(core.setSecret).toHaveBeenCalledWith('STSAWSSESSIONTOKEN');
       expect(core.setSecret).toHaveBeenCalledTimes(3);
       expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '111111111111');
-      expect(core.setOutput).toHaveBeenCalledTimes(1);
+      expect(core.setOutput).toHaveBeenCalledTimes(2);
       expect(core.setFailed).not.toHaveBeenCalled();
     });
   });
@@ -204,7 +204,7 @@ describe('Configure AWS Credentials', {}, () => {
       expect(core.setSecret).toHaveBeenCalledWith('STSAWSSESSIONTOKEN');
       expect(core.setSecret).toHaveBeenCalledTimes(3);
       expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '111111111111');
-      expect(core.setOutput).toHaveBeenCalledTimes(2);
+      expect(core.setOutput).toHaveBeenCalledTimes(4);
       expect(core.setFailed).not.toHaveBeenCalled();
     });
     it('exports environment variables from inputs', {}, async () => {
@@ -237,7 +237,7 @@ describe('Configure AWS Credentials', {}, () => {
       expect(core.setSecret).toHaveBeenCalledWith('STSAWSSESSIONTOKEN');
       expect(core.setSecret).toHaveBeenCalledTimes(6);
       expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', '111111111111');
-      expect(core.setOutput).toHaveBeenCalledTimes(2);
+      expect(core.setOutput).toHaveBeenCalledTimes(4);
       expect(core.setFailed).not.toHaveBeenCalled();
     });
   });

Original file line number	Diff line number	Diff line change
`@@ -113,13 +113,16 @@ export async function exportAccountId(credentialsClient: CredentialsClient, mask`
`113`	`113`	`const client = credentialsClient.stsClient;`
`114`	`114`	`const identity = await client.send(new GetCallerIdentityCommand({}));`
`115`	`115`	`const accountId = identity.Account;`
`116`		`- if (!accountId) {`
`117`		`- throw new Error('Could not get Account ID from STS. Did you set credentials?');`
	`116`	`+ const arn = identity.Arn;`
	`117`	`+ if (!accountId \|\| !arn) {`
	`118`	`+ throw new Error('Could not get Account ID or ARN from STS. Did you set credentials?');`
`118`	`119`	`}`
`119`	`120`	`if (maskAccountId) {`
`120`	`121`	`core.setSecret(accountId);`
	`122`	`+ core.setSecret(arn);`
`121`	`123`	`}`
`122`	`124`	`core.setOutput('aws-account-id', accountId);`
	`125`	`+ core.setOutput('authenticated-arn', arn);`
`123`	`126`	`return accountId;`
`124`	`127`	`}`
`125`	`128`