starred/act
1
0
Fork 0
mirror of https://github.com/nektos/act.git synced 2026-04-26 09:25:54 +03:00
Code Issues 289 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #409] Use local aws credentials in local act run #287

New issue
Closed
opened 2026-03-01 21:42:05 +03:00 by kerem · 6 comments
kerem commented 2026-03-01 21:42:05 +03:00
Owner
Copy link

Originally created by @aldegoeij on GitHub (Nov 6, 2020).
Original GitHub issue: https://github.com/nektos/act/issues/409

Is it somehow possible to read the credentials from my local ~/.aws/ directory and use them in the workflow run?

It is the same logic as used in e.g. docker by adding -v $HOME/.aws:/root/.aws to docker run command. Processes in the docker container now use the local credentials as base credentials for role assume.

This way within the workflow the base credentials are the base credentials of my local aws configuration. Currently I need to copy paste Access Key Id, Secret Access Key and Session Token into a .secrets file for act to pickup?

Is there any way to pass e.g. custom docker commands?

Originally created by @aldegoeij on GitHub (Nov 6, 2020). Original GitHub issue: https://github.com/nektos/act/issues/409 Is it somehow possible to read the credentials from my local `~/.aws/` directory and use them in the workflow run? It is the same logic as used in e.g. docker by adding `-v $HOME/.aws:/root/.aws` to docker run command. Processes in the docker container now use the local credentials as base credentials for role assume. This way within the workflow the base credentials are the base credentials of my local aws configuration. Currently I need to copy paste Access Key Id, Secret Access Key and Session Token into a `.secrets` file for `act` to pickup? Is there any way to pass e.g. custom docker commands?
kerem 2026-03-01 21:42:05 +03:00
  • closed this issue
  • added the
    stale
         label
kerem commented 2026-03-01 21:42:06 +03:00
Author
Owner
Copy link

@rahb3rt commented on GitHub (Nov 18, 2020):

I am sure you could pass them in via secrets function?

Something like act -s AWS_SECRETE=$(cat ~/.aws/config) and so on would that not work? @aldegoeij

<!-- gh-comment-id:729748350 --> @rahb3rt commented on GitHub (Nov 18, 2020): I am sure you could pass them in via secrets function? Something like `act -s AWS_SECRETE=$(cat ~/.aws/config)` and so on would that not work? @aldegoeij
kerem commented 2026-03-01 21:42:06 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Jan 16, 2021):

Issue is stale and will be closed in 14 days unless there is new activity

<!-- gh-comment-id:761279567 --> @github-actions[bot] commented on GitHub (Jan 16, 2021): Issue is stale and will be closed in 14 days unless there is new activity
kerem commented 2026-03-01 21:42:06 +03:00
Author
Owner
Copy link

@vcolanoKH commented on GitHub (Feb 11, 2022):

Finagling @rahb3rt's answer a bit I got this working with

act pull_request \
 --env AWS_ACCESS_KEY_ID=$(aws configure get default.aws_access_key_id) \
 --env AWS_SECRET_ACCESS_KEY=$(aws configure get default.aws_secret_access_key) \
 --env AWS_SESSION_TOKEN=$(aws configure get default.aws_session_token

Sources:

<!-- gh-comment-id:1036586344 --> @vcolanoKH commented on GitHub (Feb 11, 2022): Finagling @rahb3rt's answer a bit I got this working with ```bash act pull_request \ --env AWS_ACCESS_KEY_ID=$(aws configure get default.aws_access_key_id) \ --env AWS_SECRET_ACCESS_KEY=$(aws configure get default.aws_secret_access_key) \ --env AWS_SESSION_TOKEN=$(aws configure get default.aws_session_token ``` Sources: * https://stackoverflow.com/a/40852848/2121777 * https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
kerem commented 2026-03-01 21:42:06 +03:00
Author
Owner
Copy link

@rdettai commented on GitHub (Mar 16, 2022):

for reference, what i ended up doing:

  • calling command
    act --env CREDS_FILE="$(shell cat ~/.aws/credentials | base64 -w 0)"

  • new step

      - name: "Write AWS credentials file"
        if: ${{ env.ACT }}
        description: "When running locally with `act`, load AWS credentials"
        run: |
          mkdir ~/.aws
          echo $CREDS_FILE | base64 -d > ~/.aws/credentials

As you can see, I am encoding with base64 to avoid all escaping/newline issues.

<!-- gh-comment-id:1069241315 --> @rdettai commented on GitHub (Mar 16, 2022): for reference, what i ended up doing: - calling command `act --env CREDS_FILE="$(shell cat ~/.aws/credentials | base64 -w 0)" ` - new step ``` - name: "Write AWS credentials file" if: ${{ env.ACT }} description: "When running locally with `act`, load AWS credentials" run: | mkdir ~/.aws echo $CREDS_FILE | base64 -d > ~/.aws/credentials ``` As you can see, I am encoding with base64 to avoid all escaping/newline issues.
kerem commented 2026-03-01 21:42:06 +03:00
Author
Owner
Copy link

@furkantektas commented on GitHub (May 2, 2024):

Alternative to @rdettai's solution, you can pass the credentials via env-file parameter like this:

act pull_request --env-file <(aws configure export-credentials --format env)
<!-- gh-comment-id:2089951549 --> @furkantektas commented on GitHub (May 2, 2024): Alternative to @rdettai's solution, you can pass the credentials via `env-file` parameter like this: ```bash act pull_request --env-file <(aws configure export-credentials --format env) ```
kerem commented 2026-03-01 21:42:06 +03:00
Author
Owner
Copy link

@chris-porter-trend commented on GitHub (Mar 11, 2025):

Alternative to @rdettai's solution, you can pass the credentials via env-file parameter like this:

act pull_request --env-file <(aws configure export-credentials --format env)

This worked very well for me. I find issues some issues using both aws-actions/configure-aws-credentials@v4 and aws-actions/amazon-ecr-login@v2. Using role-to-assume on the credentials side did not work, then realized that the aws configure export-credentials was using my default AWS SSO profile. Adding a profile arg solved my issue:

act push --env-file <(aws configure export-credentials --format env --profile=not-my-default-profile)

This ensured the exported credentials were for the intended account and I was able to remove role-to-assume usage.

<!-- gh-comment-id:2714928944 --> @chris-porter-trend commented on GitHub (Mar 11, 2025): > Alternative to [@rdettai](https://github.com/rdettai)'s solution, you can pass the credentials via `env-file` parameter like this: > > act pull_request --env-file <(aws configure export-credentials --format env) This worked very well for me. I find issues some issues using both `aws-actions/configure-aws-credentials@v4` and `aws-actions/amazon-ecr-login@v2`. Using `role-to-assume` on the credentials side did not work, then realized that the `aws configure export-credentials` was using my default AWS SSO profile. Adding a profile arg solved my issue: ``` act push --env-file <(aws configure export-credentials --format env --profile=not-my-default-profile) ``` This ensured the exported credentials were for the intended account and I was able to remove `role-to-assume` usage.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dependabot/go_modules/github.com/go-git/go-git/v5-5.18.0
dependabot/go_modules/dependencies-08815e2262
mergify/configuration-deprecated-update
dependabot/github_actions/dependencies-a3a104477f
chore/simplify-ci-and-makefile
dependabot/go_modules/golang.org/x/crypto-0.45.0
dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0
panekj/ci/improve-jobs
fix-skip-non-yaml-files-in-dir
normalize-pull-rebuild-flags
fix-no-recurse-by-default
2517-poor-error-for-incomplete-action-step
2472-make-use-new-action-cache-the-new-default-for-downloading-actions
act-tart
act-lxc
act-oidc
act-dind
avoid-slash-in-actor
dependabot/go_modules/github.com/docker/docker-26.1.4incompatible
meta-keep-filetime
local-repository-action-cache
pr-merger
update-docker-deps
follow_local_action_symlink
boltdb-lock-in-handler
use-socket-path
no-pull-no-rebuild
path-issues
fix/env
feat/podman
refactor/testdata
v0.2.87
v0.2.86
v0.2.85
v0.2.84
v0.2.83
v0.2.82
v0.2.81
v0.2.80
v0.2.79
v0.2.78
v0.2.77
v0.2.76
v0.2.75
v0.2.74
v0.2.73
v0.2.72
v0.2.71
v0.2.70
v0.2.69
v0.2.68
v0.2.67
v0.2.66
v0.2.65
v0.2.64
v0.2.63
v0.2.62
v0.2.61
v0.2.60
v0.2.59
v0.2.58
v0.2.57
v0.2.56
v0.2.55
v0.2.54
v0.2.53
v0.2.52
v0.2.51
v0.2.50
v0.2.49
v0.2.48
v0.2.47
v0.2.46
v0.2.45
v0.2.44
v0.2.43
v0.2.42
v0.2.41
v0.2.40
v0.2.39
v0.2.38
v0.2.37
v0.2.36
v0.2.35
v0.2.34
v0.2.33
v0.2.32
v0.2.31
v0.2.30
v0.2.29
v0.2.28
v0.2.27
v0.2.26
v0.2.25
v0.2.24
v0.2.23
v0.2.22
v0.2.21
v0.2.20
v0.2.19
v0.2.18
v0.2.17
v0.2.16
v0.2.15
v0.2.14
v0.2.13
v0.2.12
v0.2.11
v0.2.10
v0.2.9
v0.2.8
v0.2.7
v0.2.6
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
area/action

   
area/cli

   
area/docs

   
area/image

   
area/runner

   
area/workflow

   
backlog

   
confirmed/not-planned

   
kind/bug

   
kind/discussion

   
kind/external

   
kind/feature-request

   
kind/question

   
meta/duplicate

   
meta/invalid

   
meta/need-more-info

   
meta/resolved

   
meta/wontfix

   
meta/workaround

   
needs-work

   
pull-request

Mirrored from GitHub Pull Request

  
review/not-planned

   
size/M

   
size/XL

   
size/XXL

   
stale

   
stale-exempt
No labels
area/action
area/cli
area/docs
area/image
area/runner
area/workflow
backlog
confirmed/not-planned
kind/bug
kind/discussion
kind/external
kind/feature-request
kind/question
meta/duplicate
meta/invalid
meta/need-more-info
meta/resolved
meta/wontfix
meta/workaround
needs-work
pull-request
review/not-planned
size/M
size/XL
size/XXL
stale
stale-exempt
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/act#287
No description provided.