Merge pull request #6 from shinitiandrei/session-tokens

update: adding session tokens for temporary credentials for AWS S3
peter-evans · May 9, 2022 · 4f39c7d · 4f39c7d
2 parents e5ff6b5 + df86c38
commit 4f39c7d
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM minio/mc:RELEASE.2020-10-03T02-54-56Z
+FROM minio/mc:RELEASE.2022-05-04T06-07-55Z
 
 LABEL maintainer="Peter Evans <[email protected]>"
 LABEL repository="https://github.com/peter-evans/s3-backup"

diff --git a/README.md b/README.md
@@ -28,6 +28,8 @@ The following variables may be passed to the action as secrets or environment va
 - `ACCESS_KEY_ID` (**required**) - The storage service access key id.
 - `SECRET_ACCESS_KEY` (**required**) - The storage service secret access key.
 - `MIRROR_TARGET` (**required**) - The target bucket, and optionally, the key within the bucket.
+- `AWS_SESSION_TOKEN` - When using temporary credentials (Amazon S3)
+- `AWS_REGION` (required with AWS_SESSION_TOKEN) - the region where the s3 bucket is located for Amazon S3. **Mandatory** when using SESSION_TOKEN.
 - `MIRROR_SOURCE` - The source defaults to the repository root. If required a path relative to the root can be set.
 - `STORAGE_SERVICE_URL` - The URL to the object storage service. Defaults to `https://s3.amazonaws.com` for Amazon S3.
 - `STORAGE_SERVICE_ALIAS` - Defaults to `s3`. See [MinIO Client](https://github.com/minio/mc) for other options such as S3 compatible `minio`, and `gcs` for Google Cloud Storage.

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -3,10 +3,16 @@ set -euo pipefail
 
 STORAGE_SERVICE_ALIAS=${STORAGE_SERVICE_ALIAS:="s3"}
 STORAGE_SERVICE_URL=${STORAGE_SERVICE_URL:="https://s3.amazonaws.com"}
+AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN:=""}
 MIRROR_SOURCE=${MIRROR_SOURCE:="."}
+AWS_REGION=${AWS_REGION:=""}
 
 # Set mc configuration
-mc alias set "$STORAGE_SERVICE_ALIAS" "$STORAGE_SERVICE_URL" "$ACCESS_KEY_ID" "$SECRET_ACCESS_KEY"
+if [ -z "$AWS_SESSION_TOKEN" ]; then
+  mc alias set "$STORAGE_SERVICE_ALIAS" "$STORAGE_SERVICE_URL" "$ACCESS_KEY_ID" "$SECRET_ACCESS_KEY"
+else
+  export MC_HOST_${STORAGE_SERVICE_ALIAS}=https://${ACCESS_KEY_ID}:${SECRET_ACCESS_KEY}:${AWS_SESSION_TOKEN}@s3.${AWS_REGION}.amazonaws.com
+fi
 
 # Execute mc mirror
 mc mirror $* "$MIRROR_SOURCE" "$STORAGE_SERVICE_ALIAS/$MIRROR_TARGET"