Skip to content

Commit

Permalink
chore(GHA): allow OIDC aws credentials (#2350)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dougch
dougch authored Oct 18, 2024
1 parent a1f4fc0 commit d9a9c50
Show file tree
Hide file tree
Showing 6 changed files with 57 additions and 40 deletions.
16 changes: 12 additions & 4 deletions .github/actions/duvet/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,19 @@ Path to the output report generated in `report-script`. Defaults to `report.html

### `aws-access-key-id: ''`

An AWS access key. The corresponding user must have S3 write permissions.
Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)

### `aws-secret-access-key: ''`

The AWS secret key.
Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)

### `role-to-assume: ''`

For Open ID Connect, the role attached to the IdP, in the form of an ARN. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)

### `role-session-name: ''`

For Open ID Connect, an arbitrary session name. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)

### `aws-s3-bucket-name: ''`

Expand Down Expand Up @@ -52,8 +60,8 @@ jobs:
with:
s2n-quic-dir: ./s2n-quic
report-script: compliance/generate_report.sh
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: arn:aws:iam::123456789:role/GitHubOIDCRole
role-session-name: GithubActionSession
aws-s3-bucket-name: s2n-tls-ci-artifacts
aws-s3-region: us-west-2
cdn: https://d3fqnyekunr9xg.cloudfront.net
Expand Down
14 changes: 7 additions & 7 deletions .github/actions/duvet/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@ inputs:
report-path:
description: 'Path to generated Duvet report output'
required: false
aws-access-key-id:
description: 'AWS access key ID with S3 permissions'
role-to-assume:
description: 'Role to assume for OpenID Connect'
required: true
aws-secret-access-key:
description: 'AWS secret key'
role-session-name:
description: 'Role session name for OpenID Connect'
required: true
aws-s3-bucket-name:
description: 'Destination S3 bucket name for duvet reports'
Expand Down Expand Up @@ -46,11 +46,11 @@ runs:
shell: bash
run: ${{ inputs.report-script }} ${{ github.sha }}

- uses: aws-actions/configure-aws-credentials@v1.6.1
- uses: aws-actions/configure-aws-credentials@v4.0.2
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ inputs.aws-access-key-id }}
aws-secret-access-key: ${{ inputs.aws-secret-access-key}}
role-to-assume: ${{ inputs.role-to-assume}}
role-session-name: ${{ inputs.role-session-name}}
aws-region: ${{ inputs.aws-s3-region }}

- name: Upload to S3
Expand Down
7 changes: 4 additions & 3 deletions .github/workflows/book.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ env:
permissions:
contents: write
statuses: write
id-token: write # This is required for requesting the JWT/OIDC

jobs:
build-deploy:
Expand Down Expand Up @@ -48,9 +49,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down
44 changes: 23 additions & 21 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ env:
# should we taken before adding more permissions.
permissions:
statuses: write
id-token: write # This is required for requesting the JWT/OIDC

jobs:
env:
Expand Down Expand Up @@ -164,9 +165,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -350,10 +351,10 @@ jobs:
with:
report-script: ./scripts/compliance
report-path: ./target/compliance/report.html
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-s3-region: us-west-2
aws-s3-bucket-name: s2n-quic-ci-artifacts
aws-s3-region: us-west-1
cdn: $CDN

coverage:
Expand Down Expand Up @@ -385,9 +386,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload results
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -497,9 +498,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -542,9 +543,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -649,9 +650,10 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2


- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down Expand Up @@ -744,9 +746,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/qns.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,9 @@ env:
# should we taken before adding more permissions.
permissions:
statuses: write
id-token: write # This is required for requesting the JWT
id-token: write # This is required for requesting the JWT/OIDC
contents: read # This is required for actions/checkout


jobs:
env:
runs-on: ubuntu-22.04
Expand Down
13 changes: 10 additions & 3 deletions .github/workflows/tshark.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,13 @@ on:
default: '3.7.1'
type: string

# Updating status is relatively safe (doesnt modify source code) and caution
# should be taken before adding more permissions.
permissions:
statuses: write
id-token: write # This is required for requesting the JWT/OIDC


jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -48,9 +55,9 @@ jobs:
- uses: aws-actions/[email protected]
if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2

- name: Upload to S3
if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
Expand Down

0 comments on commit d9a9c50

Please sign in to comment.