Skip to content

Commit

Permalink
chore(GHA): allow OIDC aws credentials
Browse files Browse the repository at this point in the history
  • Loading branch information
dougch committed Oct 15, 2024
1 parent 7752afb commit 73627aa
Show file tree
Hide file tree
Showing 6 changed files with 69 additions and 50 deletions.
16 changes: 12 additions & 4 deletions .github/actions/duvet/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,19 @@ Path to the output report generated in `report-script`. Defaults to `report.html

### `aws-access-key-id: ''`

An AWS access key. The corresponding user must have S3 write permissions.
Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)

### `aws-secret-access-key: ''`

The AWS secret key.
Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)

### `role-to-assume: ''`

For Open ID Connect, the role attached to the IdP, in the form of an ARN. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)

### `role-session-name: ''`

For Open ID Connect, an arbitrary session name. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)

### `aws-s3-bucket-name: ''`

Expand Down Expand Up @@ -52,8 +60,8 @@ jobs:
with:
s2n-quic-dir: ./s2n-quic
report-script: compliance/generate_report.sh
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: arn:aws:iam::123456789:role/GitHubOIDCRole
role-session-name: GithubActionSession
aws-s3-bucket-name: s2n-tls-ci-artifacts
aws-s3-region: us-west-2
cdn: https://d3fqnyekunr9xg.cloudfront.net
Expand Down
14 changes: 7 additions & 7 deletions .github/actions/duvet/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@ inputs:
report-path:
description: 'Path to generated Duvet report output'
required: false
aws-access-key-id:
description: 'AWS access key ID with S3 permissions'
role-to-assume:
description: 'Role to assume for OpenID Connect'
required: true
aws-secret-access-key:
description: 'AWS secret key'
role-session-name:
description: 'Role session name for OpenID Connect'
required: true
aws-s3-bucket-name:
description: 'Destination S3 bucket name for duvet reports'
Expand Down Expand Up @@ -46,11 +46,11 @@ runs:
shell: bash
run: ${{ inputs.report-script }} ${{ github.sha }}

- uses: aws-actions/configure-aws-credentials@v1.6.1
- uses: aws-actions/configure-aws-credentials@v4.0.2
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ inputs.aws-access-key-id }}
aws-secret-access-key: ${{ inputs.aws-secret-access-key}}
role-to-assume: ${{ inputs.role-to-assume}}
role-session-name: ${{ inputs.role-session-name}}
aws-region: ${{ inputs.aws-s3-region }}

- name: Upload to S3
Expand Down
7 changes: 4 additions & 3 deletions .github/workflows/book.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ env:
permissions:
contents: write
statuses: write
id-token: write # This is required for requesting the JWT/OIDC

jobs:
build-deploy:
Expand Down Expand Up @@ -48,9 +49,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHABookSession
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down
44 changes: 23 additions & 21 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ env:
# should we taken before adding more permissions.
permissions:
statuses: write
id-token: write # This is required for requesting the JWT/OIDC

jobs:
env:
Expand Down Expand Up @@ -164,9 +165,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHADocSession
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -350,10 +351,10 @@ jobs:
with:
report-script: ./scripts/compliance
report-path: ./target/compliance/report.html
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAComplianceSession
aws-s3-region: us-west-2
aws-s3-bucket-name: s2n-quic-ci-artifacts
aws-s3-region: us-west-1
cdn: $CDN

coverage:
Expand Down Expand Up @@ -385,9 +386,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHACoverageSession
aws-region: us-west-2

- name: Upload results
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -497,9 +498,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHARecoverySession
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -542,9 +543,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHASimsSession
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -649,9 +650,10 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHATimingSession
aws-region: us-west-2


- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -744,9 +746,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHADhatSession
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down
25 changes: 13 additions & 12 deletions .github/workflows/qns.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ env:
# should we taken before adding more permissions.
permissions:
statuses: write
id-token: write # This is required for requesting the JWT/OIDC

jobs:
env:
Expand Down Expand Up @@ -213,9 +214,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAInteropSession
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -305,9 +306,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAInteropReportSession
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -408,9 +409,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHABenchSession
aws-region: us-west-2

- name: Upload results
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -556,9 +557,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAPerfReportSession
aws-region: us-west-2

- name: Upload results
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down
13 changes: 10 additions & 3 deletions .github/workflows/tshark.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,13 @@ on:
default: '3.7.1'
type: string

# Updating status is relatively safe (doesnt modify source code) and caution
# should we taken before adding more permissions.
permissions:
statuses: write
id-token: write # This is required for requesting the JWT/OIDC


jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -48,9 +55,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHADocSession
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down

0 comments on commit 73627aa

Please sign in to comment.