Merge branch 'master' into 44-make-process-project-show-up-for-cell-l…

…evel
biomage-org · Nov 8, 2023 · b5e5686 · b5e5686
2 parents 2b72162 + 36a2fbe
commit b5e5686
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 36 deletions.
diff --git a/.ci.yaml b/.ci.yaml
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -20,6 +20,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   is-safe-to-run:
     name: Sensitive jobs are safe to be run
@@ -194,12 +198,11 @@ jobs:
             echo "tag=refs-heads-master-$BASE_SHA" >> $GITHUB_OUTPUT
           fi
 
-      - id: set-up-creds
+      - id: setup-aws
         name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-role-pipeline
           aws-region: ${{ secrets.AWS_REGION }}
 
       - id: login-ecr
@@ -308,10 +311,9 @@ jobs:
 
       - id: setup-aws
         name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-role-pipeline
           aws-region: ${{ secrets.AWS_REGION }}
 
       - id: login-ecr

diff --git a/ci-role-pipeline-cf.yaml b/ci-role-pipeline-cf.yaml
@@ -0,0 +1,66 @@
+# Used during CI builds for AWS access
+# Deploy this once for every AWS account you want the build to have access to 
+AWSTemplateFormatVersion: "2010-09-09"
+Description: Set up API role using Github OIDC for workflow permissions
+
+Resources:
+  Role:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: ci-role-pipeline
+      MaxSessionDuration: 7200
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRoleWithWebIdentity
+            Principal:
+              # Make sure that the OIDC provider is set up in the AWS account.
+              # Uncomment and deploy the commented out GithubOidc Resource below if this is not the case.
+              # Replace <ACCOUNT_ID> with the ID of the AWS Account the CI workflow needs access to.
+              Federated: arn:aws:iam::<ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com
+            Condition:
+              StringEquals:
+                token.actions.githubusercontent.com:aud: sts.amazonaws.com
+              StringLike:
+                # Change the placeholder <ORGANISATION_NAME> below when deploying the template
+                token.actions.githubusercontent.com:sub: repo:<ORGANISATION_NAME>/pipeline:*
+      Policies:
+        - PolicyName: "get-ecr-auth-token"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "ecr:GetAuthorizationToken"
+                Resource: "*"
+        - PolicyName: "manage-ecr-contents"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "ecr:BatchCheckLayerAvailability"
+                  - "ecr:GetDownloadUrlForLayer"
+                  - "ecr:GetRepositoryPolicy"
+                  - "ecr:DescribeRepositories"
+                  - "ecr:ListImages"
+                  - "ecr:DescribeImages"
+                  - "ecr:BatchGetImage"
+                  - "ecr:InitiateLayerUpload"
+                  - "ecr:UploadLayerPart"
+                  - "ecr:CompleteLayerUpload"
+                  - "ecr:PutImage"
+                  - "ecr:CreateRepository"
+                Resource: !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/pipeline"
+
+# This part is only required if Github OIDC is not already set up in the AWS account
+# as an Identity Provider. Uncomment to deploy if needed.
+  # GithubOidc:
+  #   Type: AWS::IAM::OIDCProvider
+  #   Properties:
+  #     Url: https://token.actions.githubusercontent.com
+  #     ClientIdList:
+  #       - sts.amazonaws.com
+  #     ThumbprintList:
+  #       - 6938fd4d98bab03faadb97b34396831e3780aea1
+  #       - 1c58a3a8518e8759bf075b76b750d4f2df264fcd