GitHub Action for authenticating to Alibaba Cloud with GitHub Actions OIDC tokens.
Contents
jobs:
job-id:
# ...
permissions:
id-token: write # This is required for requesting the JWT
steps:
- name: get credentials
id: get-credentials
uses: 'mozillazg/alibabacloud-oidc-auth@v1'
with:
role-arn-to-assume: '${{ secrets.ALIBABA_CLOUD_RAM_ROLE_ARN }}'
oidc-provider-arn: '${{ secrets.ALIBABA_CLOUD_RAM_OIDC_ARN }}'
export-environment-variables: 'true'
- run: |
aliyun sts GetCallerIdentity
Or
jobs:
job-id:
# ...
permissions:
id-token: write # This is required for requesting the JWT
steps:
- name: get credentials
id: get-credentials
uses: 'mozillazg/alibabacloud-oidc-auth@v1'
with:
role-arn-to-assume: '${{ secrets.ALIBABA_CLOUD_RAM_ROLE_ARN }}'
oidc-provider-arn: '${{ secrets.ALIBABA_CLOUD_RAM_OIDC_ARN }}'
set-outputs: 'true'
- run: |
ossutil64 --access-key-id ${{ steps.get-credentials.outputs.access-key-id }} \
--access-key-secret ${{ steps.get-credentials.outputs.access-key-secret }} \
--sts-token ${{ steps.get-credentials.outputs.security-token }} --mode StsToken \
--endpoint oss-ap-southeast-1.aliyuncs.com \
stat oss://test-bucket
role-arn-to-assume
: (Required) The arn of RAM role.oidc-provider-arn
: (Required) The arn of OIDC IdP.export-environment-variables
: (Optional) Export common environment variables, including:ALIBABA_CLOUD_ACCESS_KEY_ID
ALICLOUD_ACCESS_KEY
ALIBABACLOUD_ACCESS_KEY_ID
ALICLOUD_ACCESS_KEY_ID
ALIBABA_CLOUD_ACCESS_KEY_SECRET
ALICLOUD_SECRET_KEY
ALIBABACLOUD_ACCESS_KEY_SECRET
ALICLOUD_ACCESS_KEY_SECRET
ALIBABA_CLOUD_SECURITY_TOKEN
ALICLOUD_ACCESS_KEY_STS_TOKEN
ALIBABACLOUD_SECURITY_TOKEN
ALICLOUD_SECURITY_TOKEN
The default value is:
false
set-outputs
: (Optional) Setting action outputs. The default value is:false
audience
: (Optional) The audience (aud) parameter in GitHub's generated OIDC token. The default value is:actions.github.com
role-duration-seconds
: (Optional) The validity period of the STS token. The default value is:3600
role-session-name
: (Optional) The custom name of the role session. The default value is:github-actions-<orgName>-<repoName>
region
: (Optional) The region id of STS endpoint. The default value is:ap-southeast-1
Only available when set-outputs
is true
.
access-key-id
: (Optional) The Alibaba Cloud Access Key ID.access-key-secret
: (Optional) The Alibaba Cloud Access Key Secret.security-token
: (Optional) The Alibaba Cloud STS Token.
- Configure an OIDC IdP for the auth method:
- IdP URL:
https://token.actions.githubusercontent.com
- Client ID:
actions.github.com
- IdP URL:
- Configure a RAM role for an OIDC IdP to assume:
- oidc:aud:
actions.github.com
- oidc:sub: match on GitHub subject claims.
- match branch:
repo:<orgName/repoName>:ref:refs/heads/<branchName>
- match tag:
repo:<orgName/repoName>:ref:refs/tags/<tagName>
- match branch:
- oidc:aud: