{"id":22854741,"url":"https://github.com/catnekaise/cognito-idpool-basic-auth","last_synced_at":"2025-07-23T05:33:24.561Z","repository":{"id":203325066,"uuid":"709171218","full_name":"catnekaise/cognito-idpool-basic-auth","owner":"catnekaise","description":"Authenticate with Amazon Cognito Identity from GitHub Actions using the Basic AuthFlow.","archived":false,"fork":false,"pushed_at":"2023-12-13T17:43:38.000Z","size":10,"stargazers_count":5,"open_issues_count":0,"forks_count":4,"subscribers_count":1,"default_branch":"alpha","last_synced_at":"2025-04-30T12:21:45.594Z","etag":null,"topics":["action","authentication","aws"],"latest_commit_sha":null,"homepage":"https://catnekaise.github.io","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/catnekaise.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-10-24T07:04:22.000Z","updated_at":"2024-08-19T11:55:14.000Z","dependencies_parsed_at":null,"dependency_job_id":"a71888b9-ef94-4e47-803a-d3e251a1249d","html_url":"https://github.com/catnekaise/cognito-idpool-basic-auth","commit_stats":null,"previous_names":["catnekaise/cognito-idpool-basic-auth"],"tags_count":0,"template":true,"template_full_name":null,"purl":"pkg:github/catnekaise/cognito-idpool-basic-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/catnekaise%2Fcognito-idpool-basic-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/catnekaise%2Fcognito-idpool-basic-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/catnekaise%2Fcognito-idpool-basic-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/catnekaise%2Fcognito-idpool-basic-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/catnekaise","download_url":"https://codeload.github.com/catnekaise/cognito-idpool-basic-auth/tar.gz/refs/heads/alpha","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/catnekaise%2Fcognito-idpool-basic-auth/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266624724,"owners_count":23958299,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-23T02:00:09.312Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["action","authentication","aws"],"created_at":"2024-12-13T07:08:17.352Z","updated_at":"2025-07-23T05:33:24.527Z","avatar_url":"https://github.com/catnekaise.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# cognito-idpool-basic-auth\nUse this action to perform authentication with an Amazon Cognito Identity Pool using the GitHub Actions OIDC access token.\n\nThis action is when using [Basic (Classic) AuthFlow](https://catnekaise.github.io/github-actions-abac-aws/detailed-explanation#authentication-flows). A different action for [Enhanced (Simplified) AuthFlow](https://catnekaise.github.io/github-actions-abac-aws/detailed-explanation#authentication-flows) is available [here](https://github.com/catnekaise/cognito-idpool-auth).\n\n### Use as Template\nThis repository is available as a template repository.\n\n## Alpha Status\nAt the time writing (October 2023) this action has not been tested or reviewed by anyone other than the author, hence the alpha status. If using this action, please provide feedback.\n\n## Usage\n\n```yaml\non:\n workflow_dispatch:\njobs:\n job1:\n runs-on: ubuntu-latest\n permissions:\n id-token: write\n steps:\n - name: \"Authenticate using Basic AuthFlow\"\n uses: catnekaise/cognito-idpool-basic-auth@alpha\n with:\n cognito-identity-pool-id: \"eu-west-1:11111111-example\"\n aws-account-id: \"111111111111\"\n aws-region: \"eu-west-1\"\n audience: \"cognito-identity.amazonaws.com\" # Same value as default\n role-arn: \"arn:aws:iam::111111111111:role/cognito-gha\"\n set-in-environment: true\n \n - name: \"STS Get Caller Identity\"\n run: |\n aws sts get-caller-identity\n```\n\n### Input Parameters\n\n- Only `cognito-identity-pool-id` is a required input to the action. \n- `aws-account-id` and `aws-region` are required, but values can optionally be derived from environment variables, if this behaviour is wanted.\n- Input to action via parameters will supersede environment variables for `aws-account-id` and `aws-region`.\n - **Env Var 1** supersedes **Env Var 2**.\n\n| Input Parameter Name | Default value | Example | Env Var 1 | Env Var 2 |\n|--------------------------|--------------------------------|-------------------------------------|---------------------------|--------------------|\n| cognito-identity-pool-id | - | eu-west-1:11111111-example | - | - |\n| aws-account-id | - | 1111111111111 | CK_COGNITO_AWS_ACCOUNT_ID | AWS_ACCOUNT_ID |\n| aws-region | - | eu-west-1 | CK_COGNITO_AWS_REGION | AWS_DEFAULT_REGION |\n| audience | cognito-identity.amazonaws.com | cognito-identity.amazonaws.com | - | - |\n| role-arn | - | arn:aws:iam::111111111111:role/role | - | - |\n| role-duration-seconds | 3600 | 1500 | - | - |\n| role-session-name | GitHubActions | MySessionName | - | - |\n| set-as-profile | - | cache | - | - |\n| set-in-environment | - | true | - | - |\n\n### Outputs\n\n| Parameter |\n|------------------------------------|\n| aws_access_key_id |\n| aws_secret_access_key |\n| aws_session_token |\n| aws_region |\n| cognito_identity_oidc_access_token |\n\n\n### Env Vars Example\n\n```yaml\non:\n workflow_dispatch:\nenv:\n CK_COGNITO_AWS_ACCOUNT_ID: \"${{ vars.CK_COGNITO_AWS_ACCOUNT_ID }}\"\n AWS_DEFAULT_REGION: \"us-east-1\"\njobs:\n job1:\n runs-on: ubuntu-latest\n permissions:\n id-token: write\n steps:\n - name: \"Authenticate using Basic AuthFlow\"\n uses: catnekaise/cognito-idpool-basic-auth@alpha\n with:\n cognito-identity-pool-id: \"eu-west-1:11111111-example\"\n role-arn: \"arn:aws:iam::111111111111:role/cognito-gha\"\n set-in-environment: true\n aws-region: \"eu-west-1\" # Overrides AWS_DEFAULT_REGION\n\n - name: \"STS Get Caller Identity\"\n run: |\n aws sts get-caller-identity\n```\n\n### Handling Credentials\nIn order for credentials to exist, `role-arn` has to be set and successful authentication must have completed. If not setting `role-arn`, `cognito_identity_oidc_access_token` is available.\n\n- Credentials are always available as output parameters from the action, as long as `role-arn` was set.\n- Set input option `set-in-environment` to `true` and standard AWS environment variables will be set.\n- Provide a profile name in input option `set-as-profile` to set credentials as a profile.\n- Setting `set-in-environment` to `true`, and setting a value in `set-as-profile` will both set environment variables and the profile.\n- When neither `set-in-environment` nor `set-as-profile` is provided, credentials are only available as outputs.\n\n```yaml\non:\n workflow_dispatch:\nenv:\n CK_COGNITO_AWS_ACCOUNT_ID: \"${{ vars.CK_COGNITO_AWS_ACCOUNT_ID }}\"\n AWS_DEFAULT_REGION: \"eu-west-1\"\njobs:\n job1:\n runs-on: ubuntu-latest\n permissions:\n id-token: write\n steps:\n - id: aws-credentials\n name: \"Credentials as output only\"\n uses: catnekaise/cognito-idpool-basic-auth@alpha\n with:\n cognito-identity-pool-id: \"eu-west-1:11111111-example\"\n role-arn: \"arn:aws:iam::111111111111:role/cognito-gha\"\n \n - name: \"Credentials in environment\"\n uses: catnekaise/cognito-idpool-basic-auth@alpha\n with:\n cognito-identity-pool-id: \"eu-west-1:11111111-example\"\n role-arn: \"arn:aws:iam::111111111111:role/cognito-gha\"\n set-in-environment: true\n \n - name: \"Credentials in profile: tf-state\"\n uses: catnekaise/cognito-idpool-basic-auth@alpha\n with:\n set-as-profile: \"tf-state\"\n role-arn: \"arn:aws:iam::111111111111:role/cognito-gha\"\n cognito-identity-pool-id: \"${{ vars.TF_STATE_COGNITO_IDENTITY_POOL_ID }}\"\n \n - name: \"Credentials in profile: cache\"\n uses: catnekaise/cognito-idpool-basic-auth@alpha\n with:\n set-as-profile: \"cache\"\n role-arn: \"arn:aws:iam::111111111111:role/cognito-gha\"\n cognito-identity-pool-id: \"${{ vars.CACHE_COGNITO_IDENTITY_POOL_ID }}\"\n \n - name: STS Get Caller Identity\n run: |\n aws sts get-caller-identity\n aws sts get-caller-identity --profile tf-state\n aws sts get-caller-identity --profile cache\n\n - name: \"STS Get Caller Identity\"\n env:\n AWS_ACCESS_KEY_ID: \"${{ steps.aws-credentials.outputs.aws_access_key_id }}\"\n AWS_SECRET_ACCESS_KEY: \"${{ steps.aws-credentials.outputs.aws_secret_access_key }}\"\n AWS_SESSION_TOKEN: \"${{ steps.aws-credentials.outputs.aws_session_token }}\"\n run: |\n aws sts get-caller-identity\n```\n\n### Without providing role\nWhen `role-arn` is not set, output `cognito_identity_oidc_access_token` is available. It can then be used to assume role inside the workflow.\n\n```yaml\non:\n workflow_dispatch:\njobs:\n job1:\n runs-on: ubuntu-latest\n permissions:\n id-token: write\n steps:\n - id: oidc_token\n name: \"Get Cognito OIDC Access Token\"\n uses: catnekaise/cognito-idpool-basic-auth@alpha\n with:\n cognito-identity-pool-id: \"${{ vars.COGNITO_IDENTITY_POOL_ID }}\"\n aws-region: \"eu-west-1\"\n aws-account-id: \"111111111111\"\n \n - name: \"Assume Role\"\n env:\n OIDC_TOKEN: \"${{ steps.oidc_token.outputs.cognito_identity_oidc_access_token }}\"\n AWS_DEFAULT_REGION: \"eu-west-1\"\n run: |\n awsCredentials=$(aws sts assume-role-with-web-identity \\\n --role-session-name \"MySessionName\" \\\n --role-arn \"arn:aws:iam::111111111111:role/cognito-gha\" \\\n --duration-seconds 3600 \\\n --web-identity-token \"$OIDC_TOKEN\")\n \n awsAccessKeyId=$(echo \"$awsCredentials\" | jq -r \".Credentials.AccessKeyId\")\n awsSecretAccessKey=$(echo \"$awsCredentials\" | jq -r \".Credentials.SecretAccessKey\")\n awsSessionToken=$(echo \"$awsCredentials\" | jq -r \".Credentials.SessionToken\")\n \n echo \"::add-mask::$awsAccessKeyId\"\n echo \"::add-mask::$awsSecretAccessKey\"\n echo \"::add-mask::$awsSessionToken\"\n```\n\n## Action Goals\nProvide the bare minimum implementation for performing `Basic (Classic) AuthFlow` with Cognito Identity, and remain simple/static enough to be used as a template for creating an internal action for the same purpose.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcatnekaise%2Fcognito-idpool-basic-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcatnekaise%2Fcognito-idpool-basic-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcatnekaise%2Fcognito-idpool-basic-auth/lists"}