Merge pull request #817 from makerdao/TECH-3250-set-role

Use AWS role
makerdao · Jun 14, 2024 · 5cadc8a · 5cadc8a
2 parents eabe962 + 277e628
commit 5cadc8a
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 8 deletions.
diff --git a/.github/workflows/angular-dev.yml b/.github/workflows/angular-dev.yml
@@ -8,6 +8,10 @@ on:
       - ".github/workflows/angular-dev.yml"
       - "helm/staging/frontend*"
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -25,8 +29,8 @@ jobs:
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
-        aws-access-key-id: ${{ secrets.STAGING_AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.STAGING_AWS_SECRET_ACCESS_KEY }}
+        role-to-assume: ${{ secrets.GA_OIDC_EKS_STAGING }}
+        role-session-name: AngularDevMips
         aws-region: ${{ env.REGION }}
 
     - name: Login to AWS ECR

diff --git a/.github/workflows/angular-prod.yml b/.github/workflows/angular-prod.yml
@@ -8,6 +8,10 @@ on:
       - ".github/workflows/angular-prod.yml"
       - "helm/prod/frontend*"
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -25,8 +29,8 @@ jobs:
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
-        aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
+        role-to-assume: ${{ secrets.GA_OIDC_EKS_PROD }}
+        role-session-name: AngularProdMips
         aws-region: ${{ env.REGION }}
 
     - name: Login to AWS ECR

diff --git a/.github/workflows/node.js-dev.yml b/.github/workflows/node.js-dev.yml
@@ -8,6 +8,10 @@ on:
       - ".github/workflows/node.js-dev.yml"
       - "helm/staging/backend*"
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   build-deploy:
     runs-on: ubuntu-latest
@@ -39,8 +43,8 @@ jobs:
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
-        aws-access-key-id: ${{ secrets.STAGING_AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.STAGING_AWS_SECRET_ACCESS_KEY }}
+        role-to-assume: ${{ secrets.GA_OIDC_EKS_STAGING }}
+        role-session-name: NodeDevMips
         aws-region: ${{ env.REGION }}
 
     - name: Login to AWS ECR

diff --git a/.github/workflows/node.js-prod.yml b/.github/workflows/node.js-prod.yml
@@ -8,6 +8,10 @@ on:
       - ".github/workflows/node.js-prod.yml"
       - "helm/prod/backend*"
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   build-deploy:
     runs-on: ubuntu-latest
@@ -39,8 +43,8 @@ jobs:
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
-        aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
+        role-to-assume: ${{ secrets.GA_OIDC_EKS_PROD }}
+        role-session-name: NodeProdMips
         aws-region: ${{ env.REGION }}
 
     - name: Login to AWS ECR