Make credential export to GitHub env optional

[gruuya]

Describe the feature

Currently the step will always export the credentials to the GitHub env, even when output-credentials is set to true (which exports them as step outputs then too)

configure-aws-credentials/src/helpers.ts

Lines 42 to 75 in b92d0d9

	export function exportCredentials(creds?: Partial<Credentials>, outputCredentials?: boolean) {
	if (creds?.AccessKeyId) {
	core.setSecret(creds.AccessKeyId);
	core.exportVariable('AWS_ACCESS_KEY_ID', creds.AccessKeyId);
	}
	if (creds?.SecretAccessKey) {
	core.setSecret(creds.SecretAccessKey);
	core.exportVariable('AWS_SECRET_ACCESS_KEY', creds.SecretAccessKey);
	}
	if (creds?.SessionToken) {
	core.setSecret(creds.SessionToken);
	core.exportVariable('AWS_SESSION_TOKEN', creds.SessionToken);
	} else if (process.env.AWS_SESSION_TOKEN) {
	// clear session token from previous credentials action
	core.exportVariable('AWS_SESSION_TOKEN', '');
	}
	if (outputCredentials) {
	if (creds?.AccessKeyId) {
	core.setOutput('aws-access-key-id', creds.AccessKeyId);
	}
	if (creds?.SecretAccessKey) {
	core.setOutput('aws-secret-access-key', creds.SecretAccessKey);
	}
	if (creds?.SessionToken) {
	core.setOutput('aws-session-token', creds.SessionToken);
	}
	if (creds?.Expiration) {
	core.setOutput('aws-expiration', creds.Expiration);
	}
	}
	}

I'd like the GitHub env export to be controllable so as not to "polute" it.

Use Case

A lot of libraries/applications/programs nowadays end up picking up these creds, and I might prefer the obtained credentials to be scoped only to specific steps, or even specific commands within some step. In other words I'd like a more fine-grained/opt-in approach to be available.

Proposed Solution

I see two alternatives

1. Make output-credentials exclusive: when false export only to env (as now), but when true export only as step output. A renaming of the option might be in order too, since it's not clear what the output refers to.
2. Replace output-credentials with two new options, e.g. output-step (defaulting to false), and output-env (defaulting to true). This would allow control of all possible combinations of outputs.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

[lehmanmj]

Hi gruuya, would adding a step like the following work for your use case?

- name: clean environment
   run: |
     echo "AWS_REGION=" >> $GITHUB_ENV
     echo "AWS_DEFAULT_REGION=" >> $GITHUB_ENV
     echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
     echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
     echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV

[gruuya]

Hey @lehmanmj, actually no, because that sets the env vars to an empty value, which is different from them not being present.

This is also stated in actions/runner#1126, which shows just how finicky unsetting env vars in GitHub runners is.

Coincidentally, the comments in the above issue mostly seem to be motivated by exactly this issue with aws-actions/configure-aws-credentials (not being able to disable env output).

[lehmanmj]

Thanks for bringing this to our attention! #1379 adds an option to disable all environment variables being output (output-env-credentials).

It may be important to note that setting output-env-credentials to false will prevent aws-account-id from being exported as a step output. This is because the way aws-account-id is fetched currently relies on the environment variables being present, and that would be a non-trivial change to make. We will consider it for future releases though.

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.