Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(GHA): allow OIDC aws credentials #2350

Merged
merged 4 commits into from
Oct 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions .github/actions/duvet/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,19 @@ Path to the output report generated in `report-script`. Defaults to `report.html

### `aws-access-key-id: ''`

An AWS access key. The corresponding user must have S3 write permissions.
Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)

### `aws-secret-access-key: ''`

The AWS secret key.
Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)

### `role-to-assume: ''`

For Open ID Connect, the role attached to the IdP, in the form of an ARN. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)

### `role-session-name: ''`

For Open ID Connect, an arbitrary session name. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)

### `aws-s3-bucket-name: ''`

Expand Down Expand Up @@ -52,8 +60,8 @@ jobs:
with:
s2n-quic-dir: ./s2n-quic
report-script: compliance/generate_report.sh
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: arn:aws:iam::123456789:role/GitHubOIDCRole
role-session-name: GithubActionSession
aws-s3-bucket-name: s2n-tls-ci-artifacts
aws-s3-region: us-west-2
cdn: https://d3fqnyekunr9xg.cloudfront.net
Expand Down
14 changes: 7 additions & 7 deletions .github/actions/duvet/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@ inputs:
report-path:
description: 'Path to generated Duvet report output'
required: false
aws-access-key-id:
description: 'AWS access key ID with S3 permissions'
role-to-assume:
description: 'Role to assume for OpenID Connect'
required: true
aws-secret-access-key:
description: 'AWS secret key'
role-session-name:
description: 'Role session name for OpenID Connect'
required: true
aws-s3-bucket-name:
description: 'Destination S3 bucket name for duvet reports'
Expand Down Expand Up @@ -46,11 +46,11 @@ runs:
shell: bash
run: ${{ inputs.report-script }} ${{ github.sha }}

- uses: aws-actions/configure-aws-credentials@v1.6.1
- uses: aws-actions/configure-aws-credentials@v4.0.2
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ inputs.aws-access-key-id }}
aws-secret-access-key: ${{ inputs.aws-secret-access-key}}
role-to-assume: ${{ inputs.role-to-assume}}
role-session-name: ${{ inputs.role-session-name}}
aws-region: ${{ inputs.aws-s3-region }}

- name: Upload to S3
Expand Down
7 changes: 4 additions & 3 deletions .github/workflows/book.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ env:
permissions:
contents: write
statuses: write
id-token: write # This is required for requesting the JWT/OIDC

jobs:
build-deploy:
Expand Down Expand Up @@ -48,9 +49,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down
44 changes: 23 additions & 21 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ env:
# should we taken before adding more permissions.
permissions:
statuses: write
id-token: write # This is required for requesting the JWT/OIDC

jobs:
env:
Expand Down Expand Up @@ -164,9 +165,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -350,10 +351,10 @@ jobs:
with:
report-script: ./scripts/compliance
report-path: ./target/compliance/report.html
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-s3-region: us-west-2
aws-s3-bucket-name: s2n-quic-ci-artifacts
aws-s3-region: us-west-1
cdn: $CDN

coverage:
Expand Down Expand Up @@ -385,9 +386,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload results
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -497,9 +498,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -542,9 +543,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -649,9 +650,10 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2


- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -744,9 +746,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/qns.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,9 @@ env:
# should we taken before adding more permissions.
permissions:
statuses: write
id-token: write # This is required for requesting the JWT
id-token: write # This is required for requesting the JWT/OIDC
contents: read # This is required for actions/checkout


jobs:
env:
runs-on: ubuntu-22.04
Expand Down
13 changes: 10 additions & 3 deletions .github/workflows/tshark.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,13 @@ on:
default: '3.7.1'
type: string

# Updating status is relatively safe (doesnt modify source code) and caution
# should be taken before adding more permissions.
permissions:
statuses: write
id-token: write # This is required for requesting the JWT/OIDC


jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -48,9 +55,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down
Loading