Merge pull request #2 from Cervest/configure-aws-profile

add optional param for aws iam role name to allow assuming roles for cross-account access to k8s clusters
Cervest · May 12, 2021 · 18c9ad7 · 18c9ad7
2 parents 2f97fc8 + e3f3fe3
commit 18c9ad7
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 3 deletions.
diff --git a/action.yml b/action.yml
@@ -12,6 +12,8 @@ inputs:
   cluster:
     description: "Which cluster to configure the config."
     required: true
+  aws_iam_role_name:
+    description: "Used to set up another local AWS profile for assuming another IAM role; required for cross-account k8s auth."
 runs:
   using: "node12"
   main: "build/index.js"
diff --git a/build/index.js b/build/index.js
diff --git a/build/index.js.map b/build/index.js.map
diff --git a/src/index.ts b/src/index.ts
@@ -38,6 +38,26 @@ const setAWSCredentials = (
   console.log("AWS credentials written to ~/.aws/credentials")
 }
 
+const setAWSAssumeRoleProfile = (
+  awsIamRoleName: string,
+  awsAccountId: string
+) => {
+  const profile = `
+
+  [profile ${awsIamRoleName}]
+  region=eu-west-1
+  source_profile=default
+  role_arn=arn:aws:iam::${awsAccountId}:role/${awsIamRoleName}
+  `
+
+  const homeDir = os.homedir()
+  const awsPath = path.join(homeDir, ".aws")
+  const confPath = path.join(awsPath, "config")
+
+  fs.appendFileSync(confPath, profile)
+  console.log("AWS assume role profile added to ~/.aws/config")
+}
+
 const dockerECRLogin = (awsAccountId: string) => {
   const loginPassword = shell("aws ecr get-login-password").trim()
   const loginResult = shell(
@@ -46,7 +66,11 @@ const dockerECRLogin = (awsAccountId: string) => {
   console.log(loginResult)
 }
 
-const setKubernetesConfig = (awsAccountId: string, encodedKubeConfig: string, cluster: string) => {
+const setKubernetesConfig = (
+  awsAccountId: string,
+  encodedKubeConfig: string,
+  cluster: string
+) => {
   const kubeConfig = Buffer.from(encodedKubeConfig, "base64").toString()
   const homeDir = os.homedir()
   const kubePath = path.join(homeDir, ".kube")
@@ -67,6 +91,7 @@ const main = () => {
     INPUT_AWS_SECRET_ACCESS_KEY: awsSecretAccessKey,
     INPUT_CLUSTER: cluster,
     INPUT_KUBE_CONFIG: encodedKubeConfig,
+    INPUT_AWS_IAM_ROLE_NAME: awsIamRoleName,
   } = process.env
 
   if (!awsAccountId) {
@@ -86,6 +111,9 @@ const main = () => {
   }
 
   setAWSCredentials(awsAccessKeyId, awsSecretAccessKey)
+  if (awsIamRoleName) {
+    setAWSAssumeRoleProfile(awsIamRoleName, awsAccountId)
+  }
   dockerECRLogin(awsAccountId)
   setKubernetesConfig(awsAccountId, encodedKubeConfig, cluster)
 }