Describe the feature

Current Status: This feature is implemented in the add-aws-config-file-support branch.

The output-config-files feature allows users to configure multiple AWS credential profiles by running the action multiple times in sequence. This enables authentication to multiple AWS environments (e.g., AWS Commercial and AWS GovCloud) simultaneously, with all profiles available in the same workflow job for use with tools like Terraform.

Each action invocation can create or update a profile in ~/.aws/config and ~/.aws/credentials, preserving existing profiles. By running the action multiple times with different aws-profile-name values, users can configure multiple profiles that are all available for the same Terraform execution.

Use Case

I need to deploy Terraform infrastructure that requires access to both AWS Commercial and AWS GovCloud as part of the same Terraform run. With the add-aws-config-file-support branch, I can:

1. Run the configure-aws-credentials action multiple times in separate workflow steps
2. Configure each profile with a unique aws-profile-name to avoid conflicts
3. Have all profiles automatically cleaned up when using custom paths (or persist when using default paths)
4. Use a clear, explicit workflow configuration

My specific scenario:

• I need to authenticate to AWS Commercial (via GitHub OIDC) using arn:aws:iam::123456789012:role/github-actions in us-east-1
• I need to authenticate to AWS GovCloud (via GitHub OIDC) using arn:aws-us-gov:iam::987654321098:role/github-actions in us-gov-east-1
• I need both credential profiles available simultaneously in the same workflow job
• I need to deploy to both environments as part of the same Terraform execution, which requires logging in as roles for both and making them available at the same time

Why this matters:
My Terraform code uses multiple AWS provider aliases to deploy resources to both AWS Commercial and AWS GovCloud in a single terraform apply run. This requires both credential profiles to be available simultaneously, not sequentially.

Current status:
The add-aws-config-file-support branch implements the output-config-files feature, which supports configuring multiple AWS profiles by running the action multiple times. Each invocation creates or updates a profile in the AWS config files, preserving existing profiles. This allows multiple profiles to be available simultaneously for the same Terraform execution.

Proposed Solution

The add-aws-config-file-support branch supports configuring multiple profiles by running the action multiple times in sequence:

- name: Configure AWS Commercial Credentials
  uses: aws-actions/configure-aws-credentials@v5
  with:
    role-to-assume: arn:aws:iam::123456789012:role/github-actions
    aws-region: us-east-1
    output-config-files: true
    aws-profile-name: commercial

- name: Configure AWS GovCloud Credentials
  uses: aws-actions/configure-aws-credentials@v5
  with:
    role-to-assume: arn:aws-us-gov:iam::987654321098:role/github-actions
    aws-region: us-gov-east-1
    output-config-files: true
    aws-profile-name: govcloud

- name: Deploy to Both Environments
  run: terraform apply

How it works:

1. First action step (Configure AWS Commercial Credentials):

   • Assumes the role arn:aws:iam::123456789012:role/github-actions via GitHub OIDC
   • Receives temporary credentials (AccessKeyId, SecretAccessKey, SessionToken) from AWS STS
   • Creates or updates ~/.aws/config with:

     [profile commercial]
     region = us-east-1

   • Creates or updates ~/.aws/credentials with:

     [commercial]
     aws_access_key_id = AKIA...
     aws_secret_access_key = ...
     aws_session_token = ...

2. Second action step (Configure AWS GovCloud Credentials):

   • Assumes the role arn:aws-us-gov:iam::987654321098:role/github-actions via GitHub OIDC
   • Receives temporary credentials from AWS GovCloud STS
   • Updates ~/.aws/config (preserving the commercial profile) with:

     [profile commercial]
     region = us-east-1
     
     [profile govcloud]
     region = us-gov-east-1

   • Updates ~/.aws/credentials (preserving the commercial profile) with:

     [commercial]
     aws_access_key_id = AKIA...
     aws_secret_access_key = ...
     aws_session_token = ...
     
     [govcloud]
     aws_access_key_id = AKIA...
     aws_secret_access_key = ...
     aws_session_token = ...

3. After both steps complete:

   • Both profiles (commercial and govcloud) are available in ~/.aws/config and ~/.aws/credentials
   • Terraform can use provider aliases to reference both profiles in the same execution
   • The AWS CLI and SDKs can use either profile via the --profile flag or AWS_PROFILE environment variable

Implementation details (from add-aws-config-file-support branch):

• Each action invocation uses the output-config-files feature implemented in this branch
• The createAwsConfigFiles function (in src/awsConfigFiles.ts) reads existing config files, parses them using INI file parsing, and merges the new profile
• Existing profiles are preserved when adding new ones - the updateIniProfile function handles merging
• Profile names must be unique within each file (enforced by the INI parsing logic)
• Files are created with secure permissions (0o600 for files, 0o700 for directories)
• Supports both default paths (~/.aws/config and ~/.aws/credentials) and custom paths via aws-config-file-path and aws-shared-credentials-file-path
• Custom paths are automatically cleaned up in the post-job cleanup step
• Default paths persist after the workflow completes

Considerations:

• Requires multiple action steps to configure multiple profiles
• Profile names must be manually coordinated to avoid conflicts
• Each step independently assumes a role
• Each step sets environment variables independently (the last step's env vars will be active, but all profiles remain available in config files)

Other Information

The primary use case is deploying to both AWS Commercial and AWS GovCloud as part of the same Terraform execution. This requires both credential profiles to be available simultaneously.

Example Terraform configuration using provider aliases:

# Commercial AWS provider
provider "aws" {
  alias   = "commercial"
  profile = "commercial"
  region  = "us-east-1"
}

# GovCloud AWS provider
provider "aws" {
  alias   = "govcloud"
  profile = "govcloud"
  region  = "us-gov-east-1"
}

# Resources deployed to Commercial
resource "aws_s3_bucket" "commercial_bucket" {
  provider = aws.commercial
  bucket   = "my-commercial-bucket"
}

# Resources deployed to GovCloud
resource "aws_s3_bucket" "govcloud_bucket" {
  provider = aws.govcloud
  bucket   = "my-govcloud-bucket"
}

Workflow example:

- name: Configure AWS Commercial Credentials
  uses: aws-actions/configure-aws-credentials@v5
  with:
    role-to-assume: arn:aws:iam::123456789012:role/github-actions
    aws-region: us-east-1
    output-config-files: true
    aws-profile-name: commercial

- name: Configure AWS GovCloud Credentials
  uses: aws-actions/configure-aws-credentials@v5
  with:
    role-to-assume: arn:aws-us-gov:iam::987654321098:role/github-actions
    aws-region: us-gov-east-1
    output-config-files: true
    aws-profile-name: govcloud

- name: Deploy to Both Environments
  run: terraform apply
  # Both profiles are available, Terraform can use provider aliases
  # to deploy to both AWS Commercial and AWS GovCloud in one run

Key requirement: Both profiles must be available simultaneously for Terraform to use provider aliases to deploy to multiple AWS environments (Commercial and GovCloud) in a single execution.

Related Features (Implemented in add-aws-config-file-support branch)

This implementation includes:

• output-config-files: Input option to enable config file creation
• aws-profile-name: Input option to specify the profile name (defaults to 'default')
• aws-config-file-path: Input option for custom config file path (supports ~ expansion)
• aws-shared-credentials-file-path: Input option for custom credentials file path (supports ~ expansion)
• Outputs: aws-config-file-path, aws-shared-credentials-file-path, and aws-profile-name are available as step outputs
• Role assumption: Each action step assumes a role independently via existing OIDC/credential mechanisms
• Cleanup: Automatic cleanup of custom path files in the post-job cleanup step

Additional Considerations

• Security: Each profile's credentials are isolated in the config files with secure permissions (0o600 for files, 0o700 for directories)
• Cleanup: The cleanup functionality in src/cleanup/index.ts handles profile cleanup - default paths (~/.aws/*) persist after the workflow, while custom paths are automatically cleaned up
• Backward compatibility: This implementation maintains full backward compatibility - single-profile configuration continues to work as before, and output-config-files defaults to false
• Error handling: Each action step fails independently (standard GitHub Actions behavior). If one profile fails to configure, subsequent steps won't run unless continue-on-error is used
• Profile name validation: Profile names must be unique within each config file (enforced by the INI parsing and merging logic in src/awsConfigFiles.ts)
• Environment variables: Each step sets environment variables independently. The last step's environment variables will be active, but all profiles remain available in config files for use with --profile flag or AWS_PROFILE environment variable
• File preservation: When updating existing config files, the implementation preserves all existing profiles and only updates/adds the specified profile
• INI file handling: The implementation includes robust INI file parsing (parseIniFile) and serialization (serializeIniFile) that handles both config file format ([profile name]) and credentials file format ([name])

Implementation Notes

The add-aws-config-file-support branch implements this feature through:

• src/awsConfigFiles.ts: Core functionality for INI file parsing, serialization, profile updates, and path expansion
• src/helpers.ts: Integration with exportCredentials to create config files when output-config-files is enabled
• src/cleanup/index.ts: Cleanup logic for custom path files
• action.yml: New inputs and outputs for config file configuration
• Tests: Comprehensive test coverage in test/awsConfigFiles.test.ts, test/helpers.test.ts, and test/cleanup.test.ts

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change