From 6549c2d584541939e0a67616eebf90b4cd9b1fe9 Mon Sep 17 00:00:00 2001
From: Anatoliy Dutchak <anatoliy.dutchak@gmail.com>
Date: Thu, 12 Sep 2024 20:28:23 +0200
Subject: [PATCH] feat(GitHub): migrate configure-aws-credentials steps to IAM
role assumption (#3377)
---
.github/workflows/build-linux-binaries.yml | 8 ++++----
.github/workflows/build-macos-release.yml | 4 ++--
.github/workflows/build-public-ami.yml | 4 ++--
.github/workflows/build-ubuntu-amd64-release.yml | 8 ++++----
.github/workflows/build-ubuntu-arm64-release.yml | 8 ++++----
.github/workflows/build-win-release.yml | 6 +++---
6 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/.github/workflows/build-linux-binaries.yml b/.github/workflows/build-linux-binaries.yml
index 08936031d3b0..f4dcbd93bbf1 100644
--- a/.github/workflows/build-linux-binaries.yml
+++ b/.github/workflows/build-linux-binaries.yml
@@ -32,8 +32,8 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }}
+ role-session-name: githubrolesession
aws-region: us-east-1
- name: Try to get tag from git
@@ -93,8 +93,8 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }}
+ role-session-name: githubrolesession
aws-region: us-east-1
- name: Try to get tag from git
diff --git a/.github/workflows/build-macos-release.yml b/.github/workflows/build-macos-release.yml
index 8a7f641ed3f7..8f1801b0c1f9 100644
--- a/.github/workflows/build-macos-release.yml
+++ b/.github/workflows/build-macos-release.yml
@@ -58,8 +58,8 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }}
+ role-session-name: githubrolesession
aws-region: us-east-1
- name: Upload file to S3
diff --git a/.github/workflows/build-public-ami.yml b/.github/workflows/build-public-ami.yml
index 314b110865a1..d97f7c32395e 100644
--- a/.github/workflows/build-public-ami.yml
+++ b/.github/workflows/build-public-ami.yml
@@ -50,8 +50,8 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
- aws-access-key-id: ${{ secrets.MARKETPLACE_ID }}
- aws-secret-access-key: ${{ secrets.MARKETPLACE_KEY }}
+ role-to-assume: ${{ secrets.AWS_MARKETPLACE_SA_ROLE_ARN }}
+ role-session-name: githubrolesession
aws-region: us-east-1
- name: Setup `packer`
diff --git a/.github/workflows/build-ubuntu-amd64-release.yml b/.github/workflows/build-ubuntu-amd64-release.yml
index ff26569570c2..6df99f50979a 100644
--- a/.github/workflows/build-ubuntu-amd64-release.yml
+++ b/.github/workflows/build-ubuntu-amd64-release.yml
@@ -30,8 +30,8 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }}
+ role-session-name: githubrolesession
aws-region: us-east-1
- name: Try to get tag from git
@@ -101,8 +101,8 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }}
+ role-session-name: githubrolesession
aws-region: us-east-1
- name: Create debian package
diff --git a/.github/workflows/build-ubuntu-arm64-release.yml b/.github/workflows/build-ubuntu-arm64-release.yml
index 514813c82cce..f78151311fdc 100644
--- a/.github/workflows/build-ubuntu-arm64-release.yml
+++ b/.github/workflows/build-ubuntu-arm64-release.yml
@@ -30,8 +30,8 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }}
+ role-session-name: githubrolesession
aws-region: us-east-1
- name: Try to get tag from git
@@ -88,8 +88,8 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }}
+ role-session-name: githubrolesession
aws-region: us-east-1
- name: Try to get tag from git
diff --git a/.github/workflows/build-win-release.yml b/.github/workflows/build-win-release.yml
index 15502e003223..a1d6d1a510d4 100644
--- a/.github/workflows/build-win-release.yml
+++ b/.github/workflows/build-win-release.yml
@@ -33,11 +33,11 @@ jobs:
msiexec.exe /passive /i /n https://awscli.amazonaws.com/AWSCLIV2.msi
aws --version
- - name: Configure AWS Credentials
+ - name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }}
+ role-session-name: githubrolesession
aws-region: us-east-1
- name: Try to get tag from git