workflow.yaml.example

name: main

on: # yamllint disable-line rule:truthy
  workflow_dispatch:
  push:
    branches:
      - 'main'
  pull_request:
    branches:
      - 'main'

env:
  AWS_CONFIG_FILE: ${{ github.workspace }}/.aws/config # Custom path profiles are to be used with Docker containers
  AWS_SHARED_CREDENTIALS_FILE: ${{ github.workspace }}/.aws/credentials # Similar to above
  AWS_DEFAULT_REGION: ap-south-1
  REPO_NAME: ${{ github.event.repository.name }}
  PROFILE_ROLE_1: "PROFILE_ROLE_1"
  PROFILE_ROLE_2: "PROFILE_ROLE_2"

jobs:
  assume-multiple-roles:
    runs-on: ubuntu-latest
    permissions:
      contents: read # This is required for actions/checkout
      id-token: write # This is required for requesting the token from AWS STS
    steps:
      - name: Checkout
        id: checkout
        uses: actions/checkout@v4

      - name: Configure AWS credentials ROLE 1
        id: configure-aws-credentials-role-1
        uses: Moulick/configure-multiple-aws-roles@v4
        with:
          role-to-assume: arn:aws:iam::111111111111:role/role-1
          role-session-name: GithubActions-${{ env.REPO_NAME }}-${{ github.workflow }}-${{ github.run_id }}
          aws-region: ${{ env.AWS_DEFAULT_REGION }}
          profile: ${{ env.PROFILE_ROLE_1 }}
          only-profile: true
          whoami: true

      - name: Configure AWS credentials ROLE 2
        id: configure-aws-credentials-role-2
        uses: Moulick/configure-multiple-aws-roles@v4
        with:
          role-to-assume: arn:aws:iam::111111111111:role/role-2
          role-session-name: GithubActions-${{ env.REPO_NAME }}-${{ github.workflow }}-${{ github.run_id }}
          aws-region: ${{ env.AWS_DEFAULT_REGION }}
          profile: ${{ env.PROFILE_ROLE_2 }}
          only-profile: true
          whoami: true

      - name: check outputs
        id: check-outputs
        run: |
          echo "PROFILE_ROLE_1: ${{ steps.configure-aws-credentials-role-1.outputs.profile }}"
          echo "PROFILE_ROLE_2: ${{ steps.configure-aws-credentials-role-2.outputs.profile }}"

      # We'll check that we cannot access AWS without providing the PROFILE, it should not work with env vars
      - name: Check AWS credentials
        id: check-aws-credentials
        run: |
          aws sts get-caller-identity || true
          aws sts get-caller-identity --profile ${{ env.PROFILE_ROLE_1 }}
          aws sts get-caller-identity --profile ${{ env.PROFILE_ROLE_2 }}

          echo "AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID"
          echo "AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY"
          echo "AWS_SESSION_TOKEN: $AWS_SESSION_TOKEN"

      # Notice the workspace mount and both the env vars, that is the place the AWS config file ends up mounted
      - name: use in docker
        id: use-in-docker
        uses: addnab/docker-run-action@v3
        with:
          image: amazon/aws-cli
          options: -v ${{ github.workspace }}:/github/workspace/ -e AWS_CONFIG_FILE=/github/workspace/.aws/config -e AWS_SHARED_CREDENTIALS_FILE=/github/workspace/.aws/credentials
          run: |
            cat ${AWS_CONFIG_FILE}
            cat ${AWS_SHARED_CREDENTIALS_FILE}
            aws sts get-caller-identity --profile ${{ env.PROFILE_ROLE_1 }}
            aws sts get-caller-identity --profile ${{ env.PROFILE_ROLE_2 }}