fix: Updated token retrieval to use new API (#270)

* feat: OIDC provider (with PR comments)

* feat: OIDC provider (with PR comments)

* updated OIDC based on new GH API

Author: Richard H Boyd

README.md

@@ -152,7 +152,7 @@ Resources:
     Condition: CreateOIDCProvider
     Properties:
       Url: https://vstoken.actions.githubusercontent.com
-      ClientIdList: [sigstore]
+      ClientIdList: ['sts.amazonaws.com']
       ThumbprintList: [a031c46782e6e6c662c2c87c76da9aa62ccabd8e]
 
 Outputs:

dist/index.js

@@ -3,7 +3,6 @@ const aws = require('aws-sdk');
 const assert = require('assert');
 const fs = require('fs');
 const path = require('path');
-const axios = require('axios');
 
 // The max time that a GitHub action is allowed to run is 6 hours.
 // That seems like a reasonable default to use if no role duration is defined.
@@ -185,21 +184,6 @@ async function exportAccountId(maskAccountId, region) {
   return accountId;
 }
 
-async function getWebIdentityToken() {
-  const isDefined = i => !!i;
-  const {ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN} = process.env;
-
-  assert(
-      [ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN].every(isDefined),
-      'Missing required environment value. Are you running in GitHub Actions?'
-  );
-  const { data } = await axios.get(`${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=sigstore`, {
-    headers: {"Authorization": `bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}`}
-    }
-  );
-  return data.value;
-}
-
 function loadCredentials() {
   // Force the SDK to re-resolve credentials with the default provider chain.
   //
@@ -303,7 +287,7 @@ async function run() {
     let sourceAccountId;
     let webIdentityToken;
     if(useGitHubOIDCProvider()) {
-      webIdentityToken = await getWebIdentityToken();
+      webIdentityToken = await core.getIDToken('sts.amazonaws.com');
       roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || DEFAULT_ROLE_DURATION_FOR_OIDC_ROLES;
       // We don't validate the credentials here because we don't have them yet when using OIDC.
     } else {

index.js

@@ -2,10 +2,8 @@ const core = require('@actions/core');
 const assert = require('assert');
 const aws = require('aws-sdk');
 const run = require('./index.js');
-const axios = require('axios');
 
 jest.mock('@actions/core');
-jest.mock("axios");
 
 const FAKE_ACCESS_KEY_ID = 'MY-AWS-ACCESS-KEY-ID';
 const FAKE_SECRET_ACCESS_KEY = 'MY-AWS-SECRET-ACCESS-KEY';
@@ -91,6 +89,12 @@ describe('Configure AWS Credentials', () => {
             .fn()
             .mockImplementation(mockGetInput(DEFAULT_INPUTS));
 
+        core.getIDToken = jest
+            .fn()
+            .mockImplementation(() => {
+                return "testtoken"
+            });
+
         mockStsCallerIdentity.mockReset();
         mockStsCallerIdentity
             .mockReturnValueOnce({
@@ -571,7 +575,6 @@ describe('Configure AWS Credentials', () => {
     test('only role arn and region provided to use GH OIDC Token', async () => {
         process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'test-token';
         process.env.ACTIONS_ID_TOKEN_REQUEST_URL = 'https://www.example.com/token/endpoint';
-        axios.get.mockImplementation(() => Promise.resolve({ data: {value: "testtoken"} }));
         core.getInput = jest
             .fn()
             .mockImplementation(mockGetInput({'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION}));
@@ -592,7 +595,6 @@ describe('Configure AWS Credentials', () => {
         const CUSTOM_ROLE_DURATION = 1234;
         process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'test-token';
         process.env.ACTIONS_ID_TOKEN_REQUEST_URL = 'https://www.example.com/token/endpoint';
-        axios.get.mockImplementation(() => Promise.resolve({ data: {value: "testtoken"} }));
         core.getInput = jest
             .fn()
             .mockImplementation(mockGetInput({'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION, 'role-duration-seconds': CUSTOM_ROLE_DURATION}));