aws · dougch · Oct 18, 2024 · Oct 11, 2024 · Oct 16, 2024 · Oct 16, 2024
diff --git a/.github/actions/duvet/README.md b/.github/actions/duvet/README.md
@@ -16,11 +16,19 @@ Path to the output report generated in `report-script`. Defaults to `report.html
 
 ### `aws-access-key-id: ''`
 
-An AWS access key. The corresponding user must have S3 write permissions.
+Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)
 
 ### `aws-secret-access-key: ''`
 
-The AWS secret key.
+Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)
+
+### `role-to-assume: ''`
+
+For Open ID Connect, the role attached to the IdP, in the form of an ARN. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
+
+### `role-session-name: ''`
+
+For Open ID Connect, an arbitrary session name. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
 
 ### `aws-s3-bucket-name: ''`
 
@@ -52,8 +60,8 @@ jobs:
  with:
  s2n-quic-dir: ./s2n-quic
  report-script: compliance/generate_report.sh
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ role-to-assume: arn:aws:iam::123456789:role/GitHubOIDCRole
+ role-session-name: GithubActionSession
  aws-s3-bucket-name: s2n-tls-ci-artifacts
  aws-s3-region: us-west-2
  cdn: https://d3fqnyekunr9xg.cloudfront.net

diff --git a/.github/actions/duvet/action.yml b/.github/actions/duvet/action.yml
@@ -7,11 +7,11 @@ inputs:
  report-path:
  description: 'Path to generated Duvet report output'
  required: false
- aws-access-key-id:
- description: 'AWS access key ID with S3 permissions'
+ role-to-assume:
+ description: 'Role to assume for OpenID Connect'
  required: true
- aws-secret-access-key:
- description: 'AWS secret key'
+ role-session-name:
+ description: 'Role session name for OpenID Connect'
  required: true
  aws-s3-bucket-name:
  description: 'Destination S3 bucket name for duvet reports'
@@ -46,11 +46,11 @@ runs:
  shell: bash
  run: ${{ inputs.report-script }} ${{ github.sha }}
 
- - uses: aws-actions/configure-aws-credentials@v1.6.1
+ - uses: aws-actions/configure-aws-credentials@v4.0.2
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ inputs.aws-access-key-id }}
- aws-secret-access-key: ${{ inputs.aws-secret-access-key}}
+ role-to-assume: ${{ inputs.role-to-assume}}
+ role-session-name: ${{ inputs.role-session-name}}
  aws-region: ${{ inputs.aws-s3-region }}
 
  - name: Upload to S3

diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml
@@ -19,6 +19,7 @@ env:
 permissions:
  contents: write
  statuses: write
+ id-token: write # This is required for requesting the JWT/OIDC
 
 jobs:
  build-deploy:
@@ -48,9 +49,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHAS3Session
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -28,6 +28,7 @@ env:
 # should we taken before adding more permissions.
 permissions:
  statuses: write
+ id-token: write # This is required for requesting the JWT/OIDC
 
 jobs:
  env:
@@ -164,9 +165,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHAS3Session
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -350,10 +351,10 @@ jobs:
  with:
  report-script: ./scripts/compliance
  report-path: ./target/compliance/report.html
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHAS3Session
+ aws-s3-region: us-west-2
  aws-s3-bucket-name: s2n-quic-ci-artifacts
- aws-s3-region: us-west-1
  cdn: $CDN
 
  coverage:
@@ -385,9 +386,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHAS3Session
+ aws-region: us-west-2
 
  - name: Upload results
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -497,9 +498,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHAS3Session
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -542,9 +543,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHAS3Session
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -649,9 +650,10 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHAS3Session
+ aws-region: us-west-2
+
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -744,9 +746,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHAS3Session
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name

diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml
@@ -30,10 +30,9 @@ env:
 # should we taken before adding more permissions.
 permissions:
  statuses: write
- id-token: write # This is required for requesting the JWT
+ id-token: write # This is required for requesting the JWT/OIDC
  contents: read # This is required for actions/checkout
 
-
 jobs:
  env:
  runs-on: ubuntu-22.04

diff --git a/.github/workflows/tshark.yml b/.github/workflows/tshark.yml
@@ -26,6 +26,13 @@ on:
  default: '3.7.1'
  type: string
 
+# Updating status is relatively safe (doesnt modify source code) and caution
+# should be taken before adding more permissions.
+permissions:
+ statuses: write
+ id-token: write # This is required for requesting the JWT/OIDC
+
+
 jobs:
  build:
  runs-on: ubuntu-latest
@@ -48,9 +55,9 @@ jobs:
  - uses: aws-actions/[email protected]
  if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
  with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2nQuicGHAS3Session
+ aws-region: us-west-2
 
  - name: Upload to S3
  if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name