Emit warning of aws/assume-role deprecation (#190)

rwx-research · Feb 7, 2025 · 09b93fa · 09b93fa
1 parent 757c64e
commit 09b93fa
Show file tree

Hide file tree

Showing 2 changed files with 123 additions and 9 deletions.
diff --git a/aws/assume-role/README.md b/aws/assume-role/README.md
@@ -9,7 +9,7 @@ tasks:
 
   - key: assume-role
     use: aws-cli
-    call: aws/assume-role 1.1.3
+    call: aws/assume-role 1.1.4
     with:
       oidc-token: ${{ vaults.your-vault.oidc.your-token }}
       region: us-east-2
@@ -25,7 +25,7 @@ tasks:
 
   - key: assume-role
     use: aws-cli
-    call: aws/assume-role 1.1.3
+    call: aws/assume-role 1.1.4
     with:
       oidc-token: ${{ vaults.your-vault.oidc.your-token }}
       region: us-east-2
@@ -42,7 +42,7 @@ tasks:
 
   - key: assume-role
     use: aws-cli
-    call: aws/assume-role 1.1.3
+    call: aws/assume-role 1.1.4
     with:
       oidc-token: ${{ vaults.your-vault.oidc.your-token }}
       region: us-east-2
@@ -59,7 +59,7 @@ tasks:
 
   - key: assume-role
     use: aws-cli
-    call: aws/assume-role 1.1.3
+    call: aws/assume-role 1.1.4
     with:
       oidc-token: ${{ vaults.your-vault.oidc.your-token }}
       region: us-east-2
@@ -76,15 +76,15 @@ tasks:
 
   - key: assume-role
     use: aws-cli
-    call: aws/assume-role 1.1.3
+    call: aws/assume-role 1.1.4
     with:
       oidc-token: ${{ vaults.your-vault.oidc.your-token }}
       region: us-east-2
       role-to-assume: arn:aws:iam::your-account-id:role/your-role
 
   - key: chained-role
     use: assume-role
-    call: aws/assume-role 1.1.3
+    call: aws/assume-role 1.1.4
     with:
       region: us-east-2
       role-to-assume: arn:aws:iam::your-account-id:role/your-other-role
@@ -99,7 +99,7 @@ tasks:
 
   - key: assume-role
     use: aws-cli
-    call: aws/assume-role 1.1.3
+    call: aws/assume-role 1.1.4
     with:
       oidc-token: ${{ vaults.your-vault.oidc.your-token }}
       region: us-east-2
@@ -108,10 +108,120 @@ tasks:
 
   - key: chained-role
     use: assume-role
-    call: aws/assume-role 1.1.3
+    call: aws/assume-role 1.1.4
     with:
       source-profile-name: your-profile
       region: us-east-2
       role-to-assume: arn:aws:iam::your-account-id:role/your-other-role
       profile-name: your-other-profile
 ```
+
+## Upgrading from v1.X.X
+
+In v1.X.X the AWS OIDC token was provided as a leaf parameter.
+Starting in version 2, the AWS OIDC token is provided to tasks that use the assume role leaf task as an environment variable (default: `AWS_OIDC_TOKEN`).
+
+As a result of this, upon retrying a task, a new token will be used, preventing the incidental use of expired credentials.
+
+### Assuming a Role
+
+#### Before
+
+```yaml
+tasks:
+  - key: aws-cli
+    call: aws/install-cli 1.0.1
+
+  - key: assume-role
+    use: aws-cli
+    call: aws/assume-role 1.1.4
+    with:
+      region: us-east-2
+      role-to-assume: arn:aws:iam::your-account-id:role/your-role
+      oidc-token: ${{ vaults.your-vault.oidc.your-token }}
+
+  - key: your-task
+    use: assume-role
+    run: # ...
+```
+
+#### After
+
+```yaml
+tasks:
+  - key: aws-cli
+    call: aws/install-cli 1.0.1
+
+  - key: assume-role
+    call: aws/assume-role 2.0.0 # replaces aws/assume-role 1.1.4
+    with:
+      region: us-east-2
+      role-to-assume: arn:aws:iam::your-account-id:role/your-role
+
+  - key: your-task
+    use: [aws-cli, assume-role]
+    run: ...
+    env:
+      AWS_OIDC_TOKEN:
+        value: ${{ vaults.your-vault.oidc.your-token }}
+        cache-key: excluded
+```
+
+### Role Chaining
+
+#### Before
+
+```yaml
+tasks:
+  - key: aws-cli
+    call: aws/install-cli 1.0.1
+
+  - key: assume-role
+    use: aws-cli
+    call: aws/assume-role 1.1.4
+    with:
+      region: us-east-2
+      role-to-assume: arn:aws:iam::your-account-id:role/your-role
+      oidc-token: ${{ vaults.your-vault.oidc.your-token }}
+
+  - key: chain-role
+    use: assume-role
+    call: aws/assume-role 1.1.4
+    with:
+      region: us-east-2
+      role-to-assume: arn:aws:iam::your-account-id:role/your-other-role
+
+  - key: your-task
+    use: chain-role
+    run: ...
+```
+
+#### After
+
+```yaml
+tasks:
+  - key: aws-cli
+    call: aws/install-cli 1.0.1
+
+  - key: assume-role
+    call: aws/assume-role 2.0.0 # replaces aws/assume-role 1.1.4
+    with:
+      oidc-token: ${{ vaults.your-vault.oidc.your-token }}
+      region: us-east-2
+      role-to-assume: arn:aws:iam::your-account-id:role/your-role
+
+  - key: chain-role
+    call: aws/assume-role 2.0.0 # replaces aws/assume-role 1.1.4
+    with:
+      region: us-east-2
+      role-to-assume: arn:aws:iam::your-account-id:role/your-other-role
+      role-chaining: true
+
+  - key: your-task
+    use: [aws-cli, assume-role, chain-role]
+    run: ...
+    env:
+      AWS_OIDC_TOKEN:
+        value: ${{ vaults.your-vault.oidc.your-token }}
+        cache-key: excluded
+```
diff --git a/aws/assume-role/mint-leaf.yml b/aws/assume-role/mint-leaf.yml
@@ -1,5 +1,5 @@
 name: aws/assume-role
-version: 1.1.3
+version: 1.1.4
 description: Assume an AWS role
 source_code_url: https://github.com/rwx-research/mint-leaves/tree/main/aws/assume-role
 issue_tracker_url: https://github.com/rwx-research/mint-leaves/issues
@@ -32,6 +32,10 @@ tasks:
     run: |
       set -ueo pipefail
 
+      cat << EOF > $(mktemp "$MINT_WARNINGS/warning-XXXX")
+      This leaf is deprecated. Please upgrade to \`2.0.0\` or later. See [upgrade instructions](https://cloud.rwx.com/leaves/aws/assume-role) for more detail.
+      EOF
+
       if ! command -v aws &> /dev/null; then
         cat << EOF > $(mktemp "$MINT_ERRORS/error-XXXX")
       The AWS CLI must be installed. To install it, you can use the \`aws/install-cli\` leaf.