chore(GHA): allow OIDC aws credentials

aws · Oct 14, 2024 · d382764 · d382764
1 parent 7752afb
commit d382764
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 50 deletions.
diff --git a/.github/actions/duvet/README.md b/.github/actions/duvet/README.md
@@ -16,11 +16,19 @@ Path to the output report generated in `report-script`. Defaults to `report.html
 
 ### `aws-access-key-id: ''`
 
-An AWS access key. The corresponding user must have S3 write permissions.
+Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)
 
 ### `aws-secret-access-key: ''`
 
-The AWS secret key.
+Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)
+
+### `role-to-assume: ''`
+
+For Open ID Connect, the role attached to the IdP, in the form of an ARN. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
+
+### `role-session-name: ''`
+
+For Open ID Connect, an arbitrary session name. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
 
 ### `aws-s3-bucket-name: ''`
 
@@ -52,8 +60,8 @@ jobs:
  with:
  s2n-quic-dir: ./s2n-quic
  report-script: compliance/generate_report.sh
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ role-to-assume: arn:aws:iam::123456789:role/GitHubOIDCRole
+ role-session-name: GithubActionSession
  aws-s3-bucket-name: s2n-tls-ci-artifacts
  aws-s3-region: us-west-2
  cdn: https://d3fqnyekunr9xg.cloudfront.net

diff --git a/.github/actions/duvet/action.yml b/.github/actions/duvet/action.yml
@@ -7,11 +7,11 @@ inputs:
  report-path:
  description: 'Path to generated Duvet report output'
  required: false
- aws-access-key-id:
- description: 'AWS access key ID with S3 permissions'
+ role-to-assume:
+ description: 'Role to assume for OpenID Connect'
  required: true
- aws-secret-access-key:
- description: 'AWS secret key'
+ role-session-name:
+ description: 'Role session name for OpenID Connect'
  required: true
  aws-s3-bucket-name:
  description: 'Destination S3 bucket name for duvet reports'
@@ -46,11 +46,11 @@ runs:
  shell: bash
  run: ${{ inputs.report-script }} ${{ github.sha }}
 
- - uses: aws-actions/configure-aws-credentials@v1.6.1
+ - uses: aws-actions/configure-aws-credentials@v4.0.2
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ inputs.aws-access-key-id }}
- aws-secret-access-key: ${{ inputs.aws-secret-access-key}}
+ role-to-assume: ${{ inputs.role-to-assume}}
+ role-session-name: ${{ inputs.role-session-name}}
  aws-region: ${{ inputs.aws-s3-region }}
 
  - name: Upload to S3

diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml
@@ -48,9 +48,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHABookSession
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -164,9 +164,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHADocSession
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -350,10 +350,10 @@ jobs:
  with:
  report-script: ./scripts/compliance
  report-path: ./target/compliance/report.html
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHAComplianceSession
+ aws-s3-region: us-west-2
  aws-s3-bucket-name: s2n-quic-ci-artifacts
- aws-s3-region: us-west-1
  cdn: $CDN
 
  coverage:
@@ -385,9 +385,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHACoverageSession
+ aws-region: us-west-2
 
  - name: Upload results
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -497,9 +497,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHARecoverySession
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -542,9 +542,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHASimsSession
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -649,9 +649,10 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHATimingSession
+ aws-region: us-west-2
+
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -744,9 +745,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHADhatSession
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name

diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml
@@ -213,9 +213,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHAInteropSession
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -305,9 +305,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHAInteropReportSession
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -408,9 +408,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHABenchSession
+ aws-region: us-west-2
 
  - name: Upload results
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -556,9 +556,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHAPerfReportSession
+ aws-region: us-west-2
 
  - name: Upload results
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name

diff --git a/.github/workflows/tshark.yml b/.github/workflows/tshark.yml
@@ -48,9 +48,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHADocSession
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name