Skip to content

Authenticate to Alibaba Cloud

Actions
Authenticate to Alibaba Cloud with GitHub Actions OIDC tokens
v1.3.0
Latest
By mozillazg
Star (6)

Tags

 (2)
securityutilities

alibabacloud-oidc-auth

GitHub Action for authenticating to Alibaba Cloud with GitHub Actions OIDC tokens.

Contents

Example Usage

jobs:
  job-id:
    # ...
    permissions:
      id-token: write # This is required for requesting the JWT
    steps:
      - name: get credentials
        id: get-credentials
        uses: 'mozillazg/alibabacloud-oidc-auth@v1'
        with:
          role-arn-to-assume: '${{ secrets.ALIBABA_CLOUD_RAM_ROLE_ARN }}'
          oidc-provider-arn: '${{ secrets.ALIBABA_CLOUD_RAM_OIDC_ARN }}'
          export-environment-variables: 'true'
      - run: |
          aliyun sts GetCallerIdentity

Or

jobs:
  job-id:
    # ...
    permissions:
      id-token: write # This is required for requesting the JWT
    steps:
      - name: get credentials
        id: get-credentials
        uses: 'mozillazg/alibabacloud-oidc-auth@v1'
        with:
          role-arn-to-assume: '${{ secrets.ALIBABA_CLOUD_RAM_ROLE_ARN }}'
          oidc-provider-arn: '${{ secrets.ALIBABA_CLOUD_RAM_OIDC_ARN }}'
          set-outputs: 'true'
      - run: |
          ossutil64 --access-key-id ${{ steps.get-credentials.outputs.access-key-id }} \
            --access-key-secret ${{ steps.get-credentials.outputs.access-key-secret }} \
            --sts-token ${{ steps.get-credentials.outputs.security-token }} --mode StsToken \
            --endpoint oss-ap-southeast-1.aliyuncs.com \
            stat oss://test-bucket

Inputs

  • role-arn-to-assume: (Required) The arn of RAM role.

  • oidc-provider-arn: (Required) The arn of OIDC IdP.

  • export-environment-variables: (Optional) Export common environment variables, including:

    • ALIBABA_CLOUD_ACCESS_KEY_ID
    • ALICLOUD_ACCESS_KEY
    • ALIBABACLOUD_ACCESS_KEY_ID
    • ALICLOUD_ACCESS_KEY_ID
    • ALIBABA_CLOUD_ACCESS_KEY_SECRET
    • ALICLOUD_SECRET_KEY
    • ALIBABACLOUD_ACCESS_KEY_SECRET
    • ALICLOUD_ACCESS_KEY_SECRET
    • ALIBABA_CLOUD_SECURITY_TOKEN
    • ALICLOUD_ACCESS_KEY_STS_TOKEN
    • ALIBABACLOUD_SECURITY_TOKEN
    • ALICLOUD_SECURITY_TOKEN

    The default value is: false

  • set-outputs: (Optional) Setting action outputs. The default value is: false

  • audience: (Optional) The audience (aud) parameter in GitHub's generated OIDC token. The default value is: actions.github.com

  • role-duration-seconds: (Optional) The validity period of the STS token. The default value is: 3600

  • role-session-name: (Optional) The custom name of the role session. The default value is: github-actions-<orgName>-<repoName>

  • region: (Optional) The region id of STS endpoint. The default value is: ap-southeast-1

Outputs

Only available when set-outputs is true.

  • access-key-id: (Optional) The Alibaba Cloud Access Key ID.
  • access-key-secret: (Optional) The Alibaba Cloud Access Key Secret.
  • security-token: (Optional) The Alibaba Cloud STS Token.

RAM Configuration

  1. Configure an OIDC IdP for the auth method:
    • IdP URL: https://token.actions.githubusercontent.com
    • Client ID: actions.github.com
  2. Configure a RAM role for an OIDC IdP to assume:
    • oidc:aud: actions.github.com
    • oidc:sub: match on GitHub subject claims.
      • match branch: repo:<orgName/repoName>:ref:refs/heads/<branchName>
      • match tag: repo:<orgName/repoName>:ref:refs/tags/<tagName>

Contributors (2)

@mozillazg@dependabot

Resources

Authenticate to Alibaba Cloud is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

About

Authenticate to Alibaba Cloud with GitHub Actions OIDC tokens
v1.3.0
Latest
By mozillazg

Tags

 (2)
securityutilities

Contributors (2)

@mozillazg@dependabot

Resources

Authenticate to Alibaba Cloud is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.