Skip to content

Commit ae3f334

Browse files
aaronchung-bitquillaaronchung-bitquill
committed
chore: github workflows to use OIDC to assume IAM role
1 parent a231420 commit ae3f334

5 files changed

Lines changed: 61 additions & 96 deletions

File tree

.github/workflows/autoscaling_tests.yml

Lines changed: 13 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,10 @@ name: Autoscaling Tests
33
on:
44
workflow_dispatch:
55

6+
permissions:
7+
id-token: write # This is required for requesting the JWT
8+
contents: read # This is required for actions/checkout
9+
610
jobs:
711
run-autoscaling-tests:
812
name: Run Autoscaling Tests
@@ -27,35 +31,24 @@ jobs:
2731
run: poetry install
2832

2933
- name: 'Configure AWS Credentials'
30-
uses: aws-actions/configure-aws-credentials@v1
34+
id: creds
35+
uses: aws-actions/configure-aws-credentials@v4
3136
with:
32-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
33-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
37+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
38+
role-session-name: python_autoscaling_tests
39+
role-duration-seconds: 21600
3440
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
35-
36-
- name: 'Set up Temp AWS Credentials'
37-
run: |
38-
creds=($(aws sts get-session-token \
39-
--duration-seconds 21600 \
40-
--query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \
41-
--output text \
42-
| xargs));
43-
echo "::add-mask::${creds[0]}"
44-
echo "::add-mask::${creds[1]}"
45-
echo "::add-mask::${creds[2]}"
46-
echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV
47-
echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV
48-
echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV
41+
output-credentials: true
4942

5043
- name: 'Run Autoscaling Tests'
5144
run: |
5245
./gradlew --no-parallel --no-daemon test-autoscaling --info
5346
env:
5447
RDS_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }}
5548
AURORA_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
56-
AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }}
57-
AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }}
58-
AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }}
49+
AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
50+
AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
51+
AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
5952

6053
- name: 'Archive results'
6154
if: always()

.github/workflows/integration_tests.yml

Lines changed: 12 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,10 @@ on:
66
branches:
77
- main
88

9+
permissions:
10+
id-token: write # This is required for requesting the JWT
11+
contents: read # This is required for actions/checkout
12+
913
jobs:
1014
build-integration-tests:
1115
name: Run Integration Tests
@@ -36,35 +40,24 @@ jobs:
3640
run: poetry install
3741

3842
- name: 'Configure AWS Credentials'
43+
id: creds
3944
uses: aws-actions/configure-aws-credentials@v4
4045
with:
41-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
42-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
46+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
47+
role-session-name: python_integration_tests
48+
role-duration-seconds: 21600
4349
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
44-
45-
- name: 'Set up Temp AWS Credentials'
46-
run: |
47-
creds=($(aws sts get-session-token \
48-
--duration-seconds 21600 \
49-
--query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \
50-
--output text \
51-
| xargs));
52-
echo "::add-mask::${creds[0]}"
53-
echo "::add-mask::${creds[1]}"
54-
echo "::add-mask::${creds[2]}"
55-
echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV
56-
echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV
57-
echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV
50+
output-credentials: true
5851

5952
- name: 'Run Integration Tests'
6053
run: |
6154
./gradlew --no-parallel --no-daemon test-python-${{ matrix.python-version }}-${{ matrix.environment }} --info
6255
env:
6356
RDS_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }}
6457
RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
65-
AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }}
66-
AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }}
67-
AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }}
58+
AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
59+
AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
60+
AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
6861
AURORA_MYSQL_DB_ENGINE_VERSION: ${{ matrix.engine-version }}
6962
AURORA_PG_ENGINE_VERSION: ${{ matrix.engine-version }}
7063

.github/workflows/integration_tests_codebuild.yml

Lines changed: 12 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,10 @@ name: Integration Tests CodeBuild
33
on:
44
workflow_dispatch:
55

6+
permissions:
7+
id-token: write # This is required for requesting the JWT
8+
contents: read # This is required for actions/checkout
9+
610
jobs:
711
build-integration-tests-codebuild:
812
name: Run Integration Tests With CodeBuild
@@ -34,35 +38,24 @@ jobs:
3438
run: poetry install
3539

3640
- name: 'Configure AWS Credentials'
41+
id: creds
3742
uses: aws-actions/configure-aws-credentials@v4
3843
with:
39-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
40-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
44+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
45+
role-session-name: python_integration_codebuild_tests
46+
role-duration-seconds: 21600
4147
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
42-
43-
- name: 'Set up Temp AWS Credentials'
44-
run: |
45-
creds=($(aws sts get-session-token \
46-
--duration-seconds 21600 \
47-
--query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \
48-
--output text \
49-
| xargs));
50-
echo "::add-mask::${creds[0]}"
51-
echo "::add-mask::${creds[1]}"
52-
echo "::add-mask::${creds[2]}"
53-
echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV
54-
echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV
55-
echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV
48+
output-credentials: true
5649

5750
- name: 'Run Integration Tests'
5851
run: |
5952
./gradlew --no-parallel --no-daemon test-python-${{ matrix.python-version }}-${{ matrix.environment }} --info
6053
env:
6154
RDS_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }}
6255
RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
63-
AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }}
64-
AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }}
65-
AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }}
56+
AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
57+
AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
58+
AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
6659
RDS_ENDPOINT: ${{ secrets.RDS_ENDPOINT }}
6760
AURORA_MYSQL_DB_ENGINE_VERSION: "latest"
6861
AURORA_PG_ENGINE_VERSION: "latest"

.github/workflows/mysql_performance_tests.yml

Lines changed: 12 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,10 @@ name: MySQL Performance Tests
33
on:
44
workflow_dispatch:
55

6+
permissions:
7+
id-token: write # This is required for requesting the JWT
8+
contents: read # This is required for actions/checkout
9+
610
jobs:
711
build-performance-tests:
812
name: Run Performance Tests on MySQL
@@ -29,35 +33,24 @@ jobs:
2933
run: poetry install
3034

3135
- name: 'Configure AWS Credentials'
36+
id: creds
3237
uses: aws-actions/configure-aws-credentials@v4
3338
with:
34-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
35-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
39+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
40+
role-session-name: python_mysql_perf_tests
41+
role-duration-seconds: 21600
3642
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
37-
38-
- name: 'Set up Temp AWS Credentials'
39-
run: |
40-
creds=($(aws sts get-session-token \
41-
--duration-seconds 21600 \
42-
--query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \
43-
--output text \
44-
| xargs));
45-
echo "::add-mask::${creds[0]}"
46-
echo "::add-mask::${creds[1]}"
47-
echo "::add-mask::${creds[2]}"
48-
echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV
49-
echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV
50-
echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV
43+
output-credentials: true
5144

5245
- name: 'Run MySQL Performance Tests'
5346
run: |
5447
./gradlew --no-parallel --no-daemon test-mysql-aurora-performance --info
5548
env:
5649
RDS_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }}
5750
AURORA_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
58-
AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }}
59-
AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }}
60-
AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }}
51+
AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
52+
AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
53+
AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
6154
AURORA_MYSQL_DB_ENGINE_VERSION: "lts"
6255
AURORA_PG_ENGINE_VERSION: "lts"
6356

.github/workflows/pg_performance_tests.yml

Lines changed: 12 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,10 @@ name: PG Performance Tests
33
on:
44
workflow_dispatch:
55

6+
permissions:
7+
id-token: write # This is required for requesting the JWT
8+
contents: read # This is required for actions/checkout
9+
610
jobs:
711
build-performance-tests:
812
name: Run Performance Tests on PG
@@ -27,35 +31,24 @@ jobs:
2731
run: poetry install
2832

2933
- name: 'Configure AWS Credentials'
34+
id: creds
3035
uses: aws-actions/configure-aws-credentials@v4
3136
with:
32-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
33-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
37+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
38+
role-session-name: python_pg_perf_tests
39+
role-duration-seconds: 21600
3440
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
35-
36-
- name: 'Set up Temp AWS Credentials'
37-
run: |
38-
creds=($(aws sts get-session-token \
39-
--duration-seconds 21600 \
40-
--query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \
41-
--output text \
42-
| xargs));
43-
echo "::add-mask::${creds[0]}"
44-
echo "::add-mask::${creds[1]}"
45-
echo "::add-mask::${creds[2]}"
46-
echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV
47-
echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV
48-
echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV
41+
output-credentials: true
4942

5043
- name: 'Run PG Performance Tests'
5144
run: |
5245
./gradlew --no-parallel --no-daemon test-pg-aurora-performance --info
5346
env:
5447
RDS_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }}
5548
AURORA_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
56-
AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }}
57-
AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }}
58-
AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }}
49+
AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
50+
AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
51+
AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
5952
AURORA_MYSQL_DB_ENGINE_VERSION: "lts"
6053
AURORA_PG_ENGINE_VERSION: "lts"
6154

0 commit comments

Comments
 (0)