Allow setting IAM role by name (machulav#25)

colemickens · Jan 20, 2021 · bd02f39 · bd02f39
1 parent 672798f
commit bd02f39
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -83,7 +83,36 @@ Use the following steps to prepare your workflow for running on your EC2 self-ho
    }
    ```
 
-   The policy can be limited even more by specifying the resources you use.
+   If you plan to attach an IAM role to the EC2 agent with the iam-role-name parameter, you will need to allow additional actions.
+
+   ```
+   {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "",
+        "Effect": "Allow",
+        "Action": [
+          "ec2:TerminateInstances",
+          "ec2:RunInstances",
+          "ec2:ReplaceIamInstanceProfileAssociation",
+          "ec2:DescribeInstances",
+          "ec2:DescribeInstanceStatus",
+          "ec2:AssociateIamInstanceProfile"
+        ],
+        "Resource": "*"
+      },
+      {
+        "Sid": "",
+        "Effect": "Allow",
+        "Action": "iam:PassRole",
+        "Resource": "*"
+      }
+    ]
+   }
+   ```
+   This example policy is provided as a guide. It can and most likely should be limited even more by specifying the resources you use.
+
 
 2. Add the keys to GitHub secrets.
 3. Use the [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) action to set up the keys as environment variables.
@@ -143,6 +172,7 @@ Now you're ready to go!
 | `security-group-id`                                                                                                                                                          | Required if you use the `start` mode. | EC2 Security Group Id. <br><br> The security group should belong to the same VPC as the specified subnet. <br><br> Only the outbound traffic for port 443 should be allowed. No inbound traffic is required.                        |
 | `label`                                                                                                                                                                      | Required if you use the `stop` mode.  | Name of the unique label assigned to the runner. <br><br> The label is provided by the output of the action in the `start` mode. <br><br> The label is used to remove the runner from GitHub when the runner is not needed anymore. |
 | `ec2-instance-id`                                                                                                                                                            | Required if you use the `stop` mode.  | EC2 Instance Id of the created runner. <br><br> The id is provided by the output of the action in the `start` mode. <br><br> The id is used to terminate the EC2 instance when the runner is not needed anymore.                    |
+| `iam-role-name`                                                                                                                                                            | Optional.  | IAM role name to attach to the created runner. <br><br> This allows the runner to have permissions to run additional actions within the aws account, without having to manage additional github secrets and aws users.                      |
 
 ### Environment variables
 
@@ -193,6 +223,7 @@ jobs:
           ec2-instance-type: t3.nano
           subnet-id: subnet-123
           security-group-id: sg-123
+          iam-role-name: my-role-name # optional, requires additional permissions
   do-the-job:
     name: Do the job on the runner
     runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner

diff --git a/action.yml b/action.yml
@@ -49,6 +49,11 @@ inputs:
       The id is used to terminate the EC2 instance when the runner is not needed anymore.
       This input is required if you use the 'stop' mode.
     required: false
+  iam-role-name:
+    description: >-
+      IAM Role Name to attach to the created runner.
+      This requires additional permissions on the AWS role used to launch instances.
+    required: false
 outputs:
   label:
     description: >-

diff --git a/src/aws.js b/src/aws.js
@@ -25,6 +25,7 @@ async function startEc2Instance(label, githubRegistrationToken) {
     UserData: Buffer.from(userData.join('\n')).toString('base64'),
     SubnetId: config.input.subnetId,
     SecurityGroupIds: [config.input.securityGroupId],
+    IamInstanceProfile: {Name: config.input.iamRoleName},
   };
 
   try {

diff --git a/src/config.js b/src/config.js
@@ -12,6 +12,7 @@ class Config {
       securityGroupId: core.getInput('security-group-id'),
       label: core.getInput('label'),
       ec2InstanceId: core.getInput('ec2-instance-id'),
+      iamRoleName: core.getInput('iam-role-name'),
     };
 
     // the values of github.context.repo.owner and github.context.repo.repo are taken from