From 2f8dfd0ed43d880f85b57f0c8727b497af2037de Mon Sep 17 00:00:00 2001
From: Alex Blewitt <alex.blewitt@gmail.com>
Date: Sat, 9 Oct 2021 09:13:53 +0100
Subject: [PATCH 1/3] feat: Allow audience to be explicitly specified

The default audience for the GitHub OIDC uses sts.amazonaws.com, but there are
situations when it would be desirable to allow different audience names to be
used instead. Allow this to be specified as an argument to the action.
---
 README.md  | 2 ++
 action.yml | 4 ++++
 index.js   | 4 +++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 57d2bc86a..9a2cf6a10 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,7 @@ The following table describes which identity is used based on which values are s
     - name: Configure AWS Credentials
       uses: aws-actions/configure-aws-credentials@v1
       with:
+        audience: sts.amazonaws.com
         aws-region: us-east-2
         role-to-assume: arn:aws:iam::123456789100:role/my-github-actions-role
         role-session-name: MySessionName
@@ -108,6 +109,7 @@ In this example, the Action will load the OIDC token from the GitHub-provided en
     - name: Configure AWS Credentials
       uses: aws-actions/configure-aws-credentials@v1
       with:
+        audience: sts.amazonaws.com
         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         aws-region: us-east-2
diff --git a/action.yml b/action.yml
index 4e41aeb5e..17723b00d 100644
--- a/action.yml
+++ b/action.yml
@@ -4,6 +4,10 @@ branding:
   icon: 'cloud'
   color: 'orange'
 inputs:
+  audience:
+    default: 'sts.amazonaws.com'
+    description: 'The audience to use for the OIDC provider'
+    required: false
   aws-access-key-id:
     description: >-
       AWS Access Key ID. This input is required if running in the GitHub hosted environment.
diff --git a/index.js b/index.js
index c70f46cec..9966a42c9 100644
--- a/index.js
+++ b/index.js
@@ -19,6 +19,7 @@ async function assumeRole(params) {
   const isDefined = i => !!i;
 
   const {
+    audience,
     sourceAccountId,
     roleToAssume,
     roleExternalId,
@@ -263,6 +264,7 @@ async function run() {
   try {
     // Get inputs
     const accessKeyId = core.getInput('aws-access-key-id', { required: false });
+    const audience = core.getInput('audience', { required: false });
     const secretAccessKey = core.getInput('aws-secret-access-key', { required: false });
     const region = core.getInput('aws-region', { required: true });
     const sessionToken = core.getInput('aws-session-token', { required: false });
@@ -310,7 +312,7 @@ async function run() {
     let sourceAccountId;
     let webIdentityToken;
     if(useGitHubOIDCProvider()) {
-      webIdentityToken = await core.getIDToken('sts.amazonaws.com');
+      webIdentityToken = await core.getIDToken(audience);
       roleDurationSeconds = core.getInput('role-duration-seconds', {required: false}) || DEFAULT_ROLE_DURATION_FOR_OIDC_ROLES;
       // We don't validate the credentials here because we don't have them yet when using OIDC.
     } else {

From d1edd20a7eef87a395b74fda0f1d46adc6797e19 Mon Sep 17 00:00:00 2001
From: Alex Blewitt <alex.blewitt@gmail.com>
Date: Fri, 8 Jul 2022 23:26:57 +0100
Subject: [PATCH 2/3] Updated README.md for information about using alternate
 audiences

---
 README.md | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 9a2cf6a10..c8ffad1ed 100644
--- a/README.md
+++ b/README.md
@@ -82,6 +82,7 @@ The default session duration is 1 hour when using the OIDC provider to directly
 The default session duration is 6 hours when using an IAM User to assume an IAM Role (by providing an `aws-access-key-id`, `aws-secret-access-key`, and a `role-to-assume`) .
 If you would like to adjust this you can pass a duration to `role-duration-seconds`, but the duration cannot exceed the maximum that was defined when the IAM Role was created.
 The default session name is GitHubActions, and you can modify it by specifying the desired name in `role-session-name`.
+The default audience is `sts.amazonaws.com` which you can replace by specifying the desired audience name in `audience`.
 
 The following table describes which identity is used based on which values are supplied to the Action:
 
@@ -98,7 +99,6 @@ The following table describes which identity is used based on which values are s
     - name: Configure AWS Credentials
       uses: aws-actions/configure-aws-credentials@v1
       with:
-        audience: sts.amazonaws.com
         aws-region: us-east-2
         role-to-assume: arn:aws:iam::123456789100:role/my-github-actions-role
         role-session-name: MySessionName
@@ -109,7 +109,6 @@ In this example, the Action will load the OIDC token from the GitHub-provided en
     - name: Configure AWS Credentials
       uses: aws-actions/configure-aws-credentials@v1
       with:
-        audience: sts.amazonaws.com
         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         aws-region: us-east-2
@@ -120,6 +119,19 @@ In this example, the Action will load the OIDC token from the GitHub-provided en
 ```
 In this example, the secret `AWS_ROLE_TO_ASSUME` contains a string like `arn:aws:iam::123456789100:role/my-github-actions-role`.  To assume a role in the same account as the static credentials, you can simply specify the role name, like `role-to-assume: my-github-actions-role`.
 
+```yaml
+    - name: Configure AWS Credentials for Beta Customers
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        audience: beta-customers
+        aws-region: us-east-3
+        role-to-assume: arn:aws:iam::123456789100:role/my-github-actions-role
+        role-session-name: MySessionName
+```
+In this example, the audience has been changed from the default to use a different audience name `beta-customers`. This can help ensure that the role can only affect those AWS accounts whose GitHub OIDC providers have explicitly opted in to the `beta-customers` label.
+
+Changing the default audience may be necessary when using non-default [AWS partitions](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html).
+
 ### Sample IAM Role CloudFormation Template
 ```yaml
 Parameters:

From 79fafe359f762e93a44ff9c5c811dab2bfee6725 Mon Sep 17 00:00:00 2001
From: peterwoodworth <woodwoop@amazon.com>
Date: Thu, 21 Jul 2022 11:09:28 -0700
Subject: [PATCH 3/3] remove unused variable

---
 index.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/index.js b/index.js
index 9966a42c9..81448dde1 100644
--- a/index.js
+++ b/index.js
@@ -19,7 +19,6 @@ async function assumeRole(params) {
   const isDefined = i => !!i;
 
   const {
-    audience,
     sourceAccountId,
     roleToAssume,
     roleExternalId,