Replace IAM creds with role

aws · Dec 10, 2024 · 09278de · 09278de
1 parent ca83cb1
commit 09278de
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -1,26 +1,30 @@
 name: Deploy Components Demo App Workflow
 
 on:
+  pull_request:
+    branches:
+      - main
   push:
     branches:
       - main
       - 'release-**.x'
 
+permissions:
+  id-token: write   # This is required for requesting the JWT
+
 jobs:
   deploy:
     name: Deploy Demo App and Storybook
     runs-on: ubuntu-latest
     env:
       AWS_DEFAULT_REGION: us-east-1
       AWS_DEFAULT_OUTPUT: text
-      AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY}}
-      AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
     steps:
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME_SDK_DEV }}
+          role-session-name: deploy-react-demo-app
           aws-region: us-east-1
       - name: Checkout Package
         uses: actions/checkout@v2

diff --git a/.github/workflows/roster-integration.yml b/.github/workflows/roster-integration.yml
@@ -13,6 +13,9 @@ env:
   SAUCE_USERNAME: ${{secrets.SAUCE_USERNAME}}
   SAUCE_ACCESS_KEY: ${{secrets.SAUCE_ACCESS_KEY}}
 
+permissions:
+  id-token: write   # This is required for requesting the JWT
+
 jobs:
   integ-roster:
     name: Roster Integration Test
@@ -31,10 +34,10 @@ jobs:
       - name: Echo Job ID
         run: echo "${{ steps.create-job-id.outputs.uuid }}"
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME_SDK_DEV }}
+          role-session-name: integ-test
           aws-region: us-east-1
       - name: Setup Sauce Connect
         uses: saucelabs/sauce-connect-action@v1