Chore: Update GitHub actions to use assumed role (#1770)

* Chore: Update GitHub actions to use assumed role * fix: pass aws-role-arn as secret * pr feedback: pass required field to all workflows * pr feedback: remove secret and access key, migrate to assumed role
mbta · Oct 18, 2023 · 405df60 · 405df60
1 parent 3c2993d
commit 405df60
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 22 deletions.
diff --git a/.github/workflows/deploy-auto.yml b/.github/workflows/deploy-auto.yml
@@ -11,8 +11,7 @@ jobs:
     with:
       deployment-env: dev
     secrets:
-      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
       docker-repo: ${{ secrets.DOCKER_REPO }}
 
   notify:

diff --git a/.github/workflows/deploy-manual.yml b/.github/workflows/deploy-manual.yml
@@ -17,8 +17,7 @@ jobs:
     with:
       deployment-env: ${{ github.event.inputs.env }}
     secrets:
-      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
       docker-repo: ${{ secrets.DOCKER_REPO }}
 
   notify:

diff --git a/.github/workflows/deploy-pr.yml b/.github/workflows/deploy-pr.yml
@@ -23,8 +23,7 @@ jobs:
     with:
       deployment-env: ${{ contains(github.event.pull_request.labels.*.name, 'dev-green') && 'dev-green' || 'dev-blue' }} # env not valid here either
     secrets:
-      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
       docker-repo: ${{ secrets.DOCKER_REPO }}
 
   notify:

diff --git a/.github/workflows/deploy-release.yml b/.github/workflows/deploy-release.yml
@@ -13,10 +13,9 @@ jobs:
       deployment-env: prod
       extra-docker-tag: ${{ github.event.release.tag_name }}
     secrets:
-      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
       docker-repo: ${{ secrets.DOCKER_REPO }}
- 
+
   notify:
     needs: [release]
     uses: ./.github/workflows/use-notify-slack.yml

diff --git a/.github/workflows/use-deploy-ecs.yml b/.github/workflows/use-deploy-ecs.yml
@@ -13,12 +13,9 @@ on:
         required: false
         description: "Additional tag to apply to the docker image"
     secrets:
-      aws-access-key-id:
+      aws-role-arn:
         required: true
-        description: "AWS_ACCESS_KEY_ID value"
-      aws-secret-access-key:
-        required: true
-        description: "AWS_SECRET_ACCESS_KEY value"
+        description: "AWS_ROLE_ARN value"
       docker-repo:
         required: true
         description: "The Docker repository to upload the docker image to, formatted '....amazonaws.com/<app>'"
@@ -34,12 +31,20 @@ concurrency:
 jobs:
   deploy:
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
     environment:
       name: ${{ inputs.deployment-env }}
       url: ${{ inputs.deployment-env == 'prod' && 'https://www.mbta.com' || format('https://{0}.mbtace.com', inputs.deployment-env) }}
     outputs:
       deployment-env: ${{ inputs.deployment-env }}
     steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.aws-role-arn }}
+          aws-region: us-east-1
       - run: |
           echo "inputs: ${{ toJson(inputs) }}"
 
@@ -60,8 +65,6 @@ jobs:
         uses: docker/login-action@v3
         with:
           registry: ${{ secrets.docker-repo }}
-          username: ${{ secrets.aws-access-key-id }}
-          password: ${{ secrets.aws-secret-access-key }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -76,9 +79,6 @@ jobs:
 
       - name: Upload assets from image into s3
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.aws-access-key-id }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.aws-secret-access-key }}
-          AWS_DEFAULT_REGION: us-east-1
           AWS_DEFAULT_OUTPUT: json
         run: |
           bash upload_assets.sh assets-image
@@ -93,10 +93,8 @@ jobs:
           cache-from: type=gha,src=/tmp/.buildx-cache
           cache-to: type=gha,dest=/tmp/.buildx-cache,mode=max
 
-      - uses: mbta/actions/deploy-ecs@v1
+      - uses: mbta/actions/deploy-ecs@v2
         with:
-          aws-access-key-id: ${{ secrets.aws-access-key-id }}
-          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
           ecs-cluster: dotcom
           ecs-service: dotcom-${{ inputs.deployment-env }}
           docker-tag: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}