diff --git a/.github/actions/duvet/README.md b/.github/actions/duvet/README.md index 799290c272..8c90a203e7 100644 --- a/.github/actions/duvet/README.md +++ b/.github/actions/duvet/README.md @@ -16,11 +16,19 @@ Path to the output report generated in `report-script`. Defaults to `report.html ### `aws-access-key-id: ''` -An AWS access key. The corresponding user must have S3 write permissions. +Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers) ### `aws-secret-access-key: ''` -The AWS secret key. +Deprecated. This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers) + +### `role-to-assume: ''` + +For Open ID Connect, the role attached to the IdP, in the form of an ARN. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) + +### `role-session-name: ''` + +For Open ID Connect, an arbitrary session name. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) ### `aws-s3-bucket-name: ''` @@ -52,8 +60,8 @@ jobs: with: s2n-quic-dir: ./s2n-quic report-script: compliance/generate_report.sh - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::123456789:role/GitHubOIDCRole + role-session-name: GithubActionSession aws-s3-bucket-name: s2n-tls-ci-artifacts aws-s3-region: us-west-2 cdn: https://d3fqnyekunr9xg.cloudfront.net diff --git a/.github/actions/duvet/action.yml b/.github/actions/duvet/action.yml index d2ecf33f46..d6885f5fe3 100644 --- a/.github/actions/duvet/action.yml +++ b/.github/actions/duvet/action.yml @@ -7,11 +7,11 @@ inputs: report-path: description: 'Path to generated Duvet report output' required: false - aws-access-key-id: - description: 'AWS access key ID with S3 permissions' + role-to-assume: + description: 'Role to assume for OpenID Connect' required: true - aws-secret-access-key: - description: 'AWS secret key' + role-session-name: + description: 'Role session name for OpenID Connect' required: true aws-s3-bucket-name: description: 'Destination S3 bucket name for duvet reports' @@ -46,11 +46,11 @@ runs: shell: bash run: ${{ inputs.report-script }} ${{ github.sha }} - - uses: aws-actions/configure-aws-credentials@v1.6.1 + - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ inputs.aws-access-key-id }} - aws-secret-access-key: ${{ inputs.aws-secret-access-key}} + role-to-assume: ${{ inputs.role-to-assume}} + role-session-name: ${{ inputs.role-session-name}} aws-region: ${{ inputs.aws-s3-region }} - name: Upload to S3 diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml index 8c26731795..b942cc2c9b 100644 --- a/.github/workflows/book.yml +++ b/.github/workflows/book.yml @@ -19,6 +19,7 @@ env: permissions: contents: write statuses: write + id-token: write # This is required for requesting the JWT/OIDC jobs: build-deploy: @@ -48,9 +49,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHAS3Session + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 13dce05494..63c5e22a2f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,6 +28,7 @@ env: # should we taken before adding more permissions. permissions: statuses: write + id-token: write # This is required for requesting the JWT/OIDC jobs: env: @@ -164,9 +165,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHAS3Session + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -350,10 +351,10 @@ jobs: with: report-script: ./scripts/compliance report-path: ./target/compliance/report.html - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHAS3Session + aws-s3-region: us-west-2 aws-s3-bucket-name: s2n-quic-ci-artifacts - aws-s3-region: us-west-1 cdn: $CDN coverage: @@ -385,9 +386,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHAS3Session + aws-region: us-west-2 - name: Upload results if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -497,9 +498,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHAS3Session + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -542,9 +543,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHAS3Session + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -649,9 +650,10 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHAS3Session + aws-region: us-west-2 + - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -744,9 +746,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHAS3Session + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml index b9ccb9aacb..ddc8b888cd 100644 --- a/.github/workflows/qns.yml +++ b/.github/workflows/qns.yml @@ -30,10 +30,9 @@ env: # should we taken before adding more permissions. permissions: statuses: write - id-token: write # This is required for requesting the JWT + id-token: write # This is required for requesting the JWT/OIDC contents: read # This is required for actions/checkout - jobs: env: runs-on: ubuntu-22.04 diff --git a/.github/workflows/tshark.yml b/.github/workflows/tshark.yml index cf9099cd76..533b13915a 100644 --- a/.github/workflows/tshark.yml +++ b/.github/workflows/tshark.yml @@ -26,6 +26,13 @@ on: default: '3.7.1' type: string +# Updating status is relatively safe (doesnt modify source code) and caution +# should be taken before adding more permissions. +permissions: + statuses: write + id-token: write # This is required for requesting the JWT/OIDC + + jobs: build: runs-on: ubuntu-latest @@ -48,9 +55,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2nQuicGHAS3Session + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'schedule' || github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name