From 73627aaafee702f2d385fed7d37110a445bf04b7 Mon Sep 17 00:00:00 2001 From: Doug Chapman Date: Fri, 11 Oct 2024 19:07:13 +0000 Subject: [PATCH 1/3] chore(GHA): allow OIDC aws credentials --- .github/actions/duvet/README.md | 16 +++++++++--- .github/actions/duvet/action.yml | 14 +++++----- .github/workflows/book.yml | 7 ++--- .github/workflows/ci.yml | 44 +++++++++++++++++--------------- .github/workflows/qns.yml | 25 +++++++++--------- .github/workflows/tshark.yml | 13 +++++++--- 6 files changed, 69 insertions(+), 50 deletions(-) diff --git a/.github/actions/duvet/README.md b/.github/actions/duvet/README.md index 799290c272..8c90a203e7 100644 --- a/.github/actions/duvet/README.md +++ b/.github/actions/duvet/README.md @@ -16,11 +16,19 @@ Path to the output report generated in `report-script`. Defaults to `report.html ### `aws-access-key-id: ''` -An AWS access key. The corresponding user must have S3 write permissions. +Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers) ### `aws-secret-access-key: ''` -The AWS secret key. +Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers) + +### `role-to-assume: ''` + +For Open ID Connect, the role attached to the IdP, in the form of an ARN. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) + +### `role-session-name: ''` + +For Open ID Connect, an arbitrary session name. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) ### `aws-s3-bucket-name: ''` @@ -52,8 +60,8 @@ jobs: with: s2n-quic-dir: ./s2n-quic report-script: compliance/generate_report.sh - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::123456789:role/GitHubOIDCRole + role-session-name: GithubActionSession aws-s3-bucket-name: s2n-tls-ci-artifacts aws-s3-region: us-west-2 cdn: https://d3fqnyekunr9xg.cloudfront.net diff --git a/.github/actions/duvet/action.yml b/.github/actions/duvet/action.yml index d2ecf33f46..d6885f5fe3 100644 --- a/.github/actions/duvet/action.yml +++ b/.github/actions/duvet/action.yml @@ -7,11 +7,11 @@ inputs: report-path: description: 'Path to generated Duvet report output' required: false - aws-access-key-id: - description: 'AWS access key ID with S3 permissions' + role-to-assume: + description: 'Role to assume for OpenID Connect' required: true - aws-secret-access-key: - description: 'AWS secret key' + role-session-name: + description: 'Role session name for OpenID Connect' required: true aws-s3-bucket-name: description: 'Destination S3 bucket name for duvet reports' @@ -46,11 +46,11 @@ runs: shell: bash run: ${{ inputs.report-script }} ${{ github.sha }} - - uses: aws-actions/configure-aws-credentials@v1.6.1 + - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ inputs.aws-access-key-id }} - aws-secret-access-key: ${{ inputs.aws-secret-access-key}} + role-to-assume: ${{ inputs.role-to-assume}} + role-session-name: ${{ inputs.role-session-name}} aws-region: ${{ inputs.aws-s3-region }} - name: Upload to S3 diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml index 8c26731795..0a66f86bd7 100644 --- a/.github/workflows/book.yml +++ b/.github/workflows/book.yml @@ -19,6 +19,7 @@ env: permissions: contents: write statuses: write + id-token: write # This is required for requesting the JWT/OIDC jobs: build-deploy: @@ -48,9 +49,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHABookSession + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 13dce05494..919ffa3b54 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,6 +28,7 @@ env: # should we taken before adding more permissions. permissions: statuses: write + id-token: write # This is required for requesting the JWT/OIDC jobs: env: @@ -164,9 +165,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHADocSession + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -350,10 +351,10 @@ jobs: with: report-script: ./scripts/compliance report-path: ./target/compliance/report.html - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHAComplianceSession + aws-s3-region: us-west-2 aws-s3-bucket-name: s2n-quic-ci-artifacts - aws-s3-region: us-west-1 cdn: $CDN coverage: @@ -385,9 +386,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHACoverageSession + aws-region: us-west-2 - name: Upload results if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -497,9 +498,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHARecoverySession + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -542,9 +543,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHASimsSession + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -649,9 +650,10 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHATimingSession + aws-region: us-west-2 + - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -744,9 +746,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHADhatSession + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml index 32ba590f50..6f91093b86 100644 --- a/.github/workflows/qns.yml +++ b/.github/workflows/qns.yml @@ -30,6 +30,7 @@ env: # should we taken before adding more permissions. permissions: statuses: write + id-token: write # This is required for requesting the JWT/OIDC jobs: env: @@ -213,9 +214,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHAInteropSession + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -305,9 +306,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHAInteropReportSession + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -408,9 +409,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHABenchSession + aws-region: us-west-2 - name: Upload results if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -556,9 +557,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHAPerfReportSession + aws-region: us-west-2 - name: Upload results if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name diff --git a/.github/workflows/tshark.yml b/.github/workflows/tshark.yml index cf9099cd76..dd507e19d2 100644 --- a/.github/workflows/tshark.yml +++ b/.github/workflows/tshark.yml @@ -26,6 +26,13 @@ on: default: '3.7.1' type: string +# Updating status is relatively safe (doesnt modify source code) and caution +# should we taken before adding more permissions. +permissions: + statuses: write + id-token: write # This is required for requesting the JWT/OIDC + + jobs: build: runs-on: ubuntu-latest @@ -48,9 +55,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHADocSession + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name From b16d4959c3541774ebb4646b204c0f4195810e6b Mon Sep 17 00:00:00 2001 From: Doug Chapman <54039637+dougch@users.noreply.github.com> Date: Wed, 16 Oct 2024 10:38:09 -0700 Subject: [PATCH 2/3] Update .github/workflows/tshark.yml Co-authored-by: Wesley Rosenblum <55108558+WesleyRosenblum@users.noreply.github.com> --- .github/workflows/tshark.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tshark.yml b/.github/workflows/tshark.yml index dd507e19d2..403163338a 100644 --- a/.github/workflows/tshark.yml +++ b/.github/workflows/tshark.yml @@ -27,7 +27,7 @@ on: type: string # Updating status is relatively safe (doesnt modify source code) and caution -# should we taken before adding more permissions. +# should be taken before adding more permissions. permissions: statuses: write id-token: write # This is required for requesting the JWT/OIDC From b6dc432f15b4a9a94841a7d08a9171875b27c1ad Mon Sep 17 00:00:00 2001 From: Doug Chapman Date: Wed, 16 Oct 2024 19:18:42 +0000 Subject: [PATCH 3/3] PR feedback; use the same session name --- .github/workflows/book.yml | 2 +- .github/workflows/ci.yml | 14 +++++++------- .github/workflows/qns.yml | 8 ++++---- .github/workflows/tshark.yml | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml index 0a66f86bd7..b942cc2c9b 100644 --- a/.github/workflows/book.yml +++ b/.github/workflows/book.yml @@ -50,7 +50,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2nQuicGHABookSession + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload to S3 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 919ffa3b54..63c5e22a2f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -166,7 +166,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2nQuicGHADocSession + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload to S3 @@ -352,7 +352,7 @@ jobs: report-script: ./scripts/compliance report-path: ./target/compliance/report.html role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2nQuicGHAComplianceSession + role-session-name: S2nQuicGHAS3Session aws-s3-region: us-west-2 aws-s3-bucket-name: s2n-quic-ci-artifacts cdn: $CDN @@ -387,7 +387,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2nQuicGHACoverageSession + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload results @@ -499,7 +499,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2nQuicGHARecoverySession + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload to S3 @@ -544,7 +544,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2nQuicGHASimsSession + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload to S3 @@ -651,7 +651,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2nQuicGHATimingSession + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 @@ -747,7 +747,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2nQuicGHADhatSession + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload to S3 diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml index 6f91093b86..e3aafaa90e 100644 --- a/.github/workflows/qns.yml +++ b/.github/workflows/qns.yml @@ -215,7 +215,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2nQuicGHAInteropSession + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload to S3 @@ -307,7 +307,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2nQuicGHAInteropReportSession + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload to S3 @@ -410,7 +410,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2nQuicGHABenchSession + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload results @@ -558,7 +558,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2nQuicGHAPerfReportSession + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload results diff --git a/.github/workflows/tshark.yml b/.github/workflows/tshark.yml index 403163338a..533b13915a 100644 --- a/.github/workflows/tshark.yml +++ b/.github/workflows/tshark.yml @@ -56,7 +56,7 @@ jobs: if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2nQuicGHADocSession + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload to S3