switch to GHA role assumption for temporary credentials (#136)

* switch to GHA role assumption for temporary credentials * refresh the token before a bunch steps
dominodatalab · Mar 17, 2023 · 381187b · 381187b
1 parent 542a0c3
commit 381187b
Showing 1 changed file with 32 additions and 3 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -12,14 +12,19 @@ on:
 
 jobs:
   test-build-deploy:
+    permissions:
+      id-token: write
+      contents: read
+
     runs-on: ubuntu-latest
+
     env:
-      AWS_ACCESS_KEY_ID: ${{ secrets.DELTA_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.DELTA_ACCESS_KEY }}
       AWS_REGION: us-west-2
+
     defaults:
       run:
         working-directory: ./cdk
+
     steps:
     - uses: actions/checkout@v2
     - name: Set up Python 3.9
@@ -51,10 +56,15 @@ jobs:
     - name: Test with pytest
       run: |
         coverage run -m pytest tests
-
     - name: Coverage report
       run: |
         coverage report
+
+    - name: Authenticate with AWS
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+        aws-region: ${{ env.AWS_REGION }}
     - name: Create/lint default config
       env:
         AWS_ACCOUNT_ID: ${{ secrets.DELTA_ACCOUNT_ID }}
@@ -94,6 +104,12 @@ jobs:
         docker login -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD quay.io
         cdk deploy --require-approval never --outputs-file outputs.json
         $(jq -r ".[].ekskubeconfigcmd" outputs.json) --kubeconfig ./kubeconfig
+
+    - name: Authenticate with AWS
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+        aws-region: ${{ env.AWS_REGION }}
     - name: Collect diagnostic data
       if: always() && (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
       env:
@@ -115,6 +131,7 @@ jobs:
         kubectl get pv -o yaml > $LOG_DIR/pvs.txt
         kubectl get no -o yaml > $LOG_DIR/nodes.txt
         kubectl describe no > $LOG_DIR/nodes-described.txt
+
     - name: Setup cloudformation-only user for safe stack deletion
       if: (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
       working-directory: ./convert/cloudformation-only
@@ -142,6 +159,12 @@ jobs:
         terraform show -json terraform.plan | jq '.resource_changes[] | select(.change.actions[]=="delete")' | tee terraform.plan.json
         test -s terraform.plan.json && echo "Detected deletions, bailing..." && exit 1
         terraform apply -auto-approve terraform.plan
+
+    - name: Authenticate with AWS
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+        aws-region: ${{ env.AWS_REGION }}
     - name: Clean and delete stack
       if: (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
       working-directory: ./convert
@@ -155,6 +178,12 @@ jobs:
         name: Diagnostic Data
         path: ./
         retention-days: 14
+
+    - name: Authenticate with AWS
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+        aws-region: ${{ env.AWS_REGION }}
     - name: Delete stack w/CDK
       if: always() && (contains(github.event.pull_request.labels.*.name, 'deploy-test') || github.ref == 'refs/heads/master')
       working-directory: ./cdk