From 5f33a67f9c444875e7e89138bc08964817489787 Mon Sep 17 00:00:00 2001 From: ivababukova Date: Wed, 25 Oct 2023 11:38:31 +0200 Subject: [PATCH 1/4] test moving to oidc Signed-off-by: ivababukova --- .github/workflows/ci.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 68d5daf3d..46a4f50f7 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -216,13 +216,13 @@ jobs: IMAGE_REPO_NAME=$(echo $GITHUB_REPOSITORY | awk -F '/' '{print $2}') echo "repo-name=$IMAGE_REPO_NAME" >> $GITHUB_OUTPUT - - id: set-up-creds + - id: setup-aws name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v2 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-api-role-test aws-region: ${{ secrets.AWS_REGION }} + - id: login-ecr name: Login to Amazon ECR uses: aws-actions/amazon-ecr-login@v1 @@ -273,10 +273,9 @@ jobs: - id: setup-aws name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v2 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-api-role-test aws-region: ${{ secrets.AWS_REGION }} - id: login-ecr From 12287e2af22f8ab565cac7ad5650a00bd5ada7d8 Mon Sep 17 00:00:00 2001 From: ivababukova Date: Wed, 25 Oct 2023 12:34:17 +0200 Subject: [PATCH 2/4] Add permissions for gettting the OIDC token Signed-off-by: ivababukova --- .github/workflows/ci.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 46a4f50f7..6f5cf5249 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -15,6 +15,11 @@ on: - opened - synchronize - reopened + +permissions: + id-token: write + contents: read + jobs: is-safe-to-run: name: Sensitive jobs are safe to be run @@ -221,6 +226,7 @@ jobs: uses: aws-actions/configure-aws-credentials@v2 with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-api-role-test + mask-aws-account-id: false aws-region: ${{ secrets.AWS_REGION }} - id: login-ecr From 48c430e5d85f137b8085626bc93c2a3de73059e4 Mon Sep 17 00:00:00 2001 From: ivababukova Date: Wed, 25 Oct 2023 12:45:15 +0200 Subject: [PATCH 3/4] Remove unmasking for AWS account id Signed-off-by: ivababukova --- .github/workflows/ci.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6f5cf5249..995ff0454 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -225,8 +225,7 @@ jobs: name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-api-role-test - mask-aws-account-id: false + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-api-role aws-region: ${{ secrets.AWS_REGION }} - id: login-ecr From 766f09d74a3cd26ccbb769b4828af09d69711bea Mon Sep 17 00:00:00 2001 From: ivababukova Date: Fri, 27 Oct 2023 12:05:59 +0200 Subject: [PATCH 4/4] Remove old file and change role name Signed-off-by: ivababukova --- .ci.yaml | 29 ----------------------------- .github/workflows/ci.yaml | 4 ++-- 2 files changed, 2 insertions(+), 31 deletions(-) delete mode 100644 .ci.yaml diff --git a/.ci.yaml b/.ci.yaml deleted file mode 100644 index 50423fa7e..000000000 --- a/.ci.yaml +++ /dev/null @@ -1,29 +0,0 @@ -ci-policies: - - PolicyName: "get-ecr-auth-token" - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "ecr:GetAuthorizationToken" - Resource: "*" - - - PolicyName: "manage-ecr-contents" - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "ecr:BatchCheckLayerAvailability" - - "ecr:GetDownloadUrlForLayer" - - "ecr:GetRepositoryPolicy" - - "ecr:DescribeRepositories" - - "ecr:ListImages" - - "ecr:DescribeImages" - - "ecr:BatchGetImage" - - "ecr:InitiateLayerUpload" - - "ecr:UploadLayerPart" - - "ecr:CompleteLayerUpload" - - "ecr:PutImage" - - "ecr:CreateRepository" - Resource: !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/api" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 995ff0454..cde0a0821 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -225,7 +225,7 @@ jobs: name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-api-role + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-role-api aws-region: ${{ secrets.AWS_REGION }} - id: login-ecr @@ -280,7 +280,7 @@ jobs: name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-api-role-test + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-role-api aws-region: ${{ secrets.AWS_REGION }} - id: login-ecr