From d724641b924f45cbb1c012d2d31087609929332f Mon Sep 17 00:00:00 2001 From: Anatoliy Dutchak Date: Tue, 10 Sep 2024 11:32:40 +0200 Subject: [PATCH 1/2] feat(GitHub): migrate configure-aws-credentials steps to IAM role assumption --- .github/workflows/build-linux-binaries.yml | 8 ++++---- .github/workflows/build-macos-release.yml | 4 ++-- .github/workflows/build-ubuntu-amd64-release.yml | 8 ++++---- .github/workflows/build-ubuntu-arm64-release.yml | 8 ++++---- .github/workflows/build-win-release.yml | 6 +++--- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build-linux-binaries.yml b/.github/workflows/build-linux-binaries.yml index 08936031d3b0..f4dcbd93bbf1 100644 --- a/.github/workflows/build-linux-binaries.yml +++ b/.github/workflows/build-linux-binaries.yml @@ -32,8 +32,8 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }} + role-session-name: githubrolesession aws-region: us-east-1 - name: Try to get tag from git @@ -93,8 +93,8 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }} + role-session-name: githubrolesession aws-region: us-east-1 - name: Try to get tag from git diff --git a/.github/workflows/build-macos-release.yml b/.github/workflows/build-macos-release.yml index 8a7f641ed3f7..8f1801b0c1f9 100644 --- a/.github/workflows/build-macos-release.yml +++ b/.github/workflows/build-macos-release.yml @@ -58,8 +58,8 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }} + role-session-name: githubrolesession aws-region: us-east-1 - name: Upload file to S3 diff --git a/.github/workflows/build-ubuntu-amd64-release.yml b/.github/workflows/build-ubuntu-amd64-release.yml index ff26569570c2..6df99f50979a 100644 --- a/.github/workflows/build-ubuntu-amd64-release.yml +++ b/.github/workflows/build-ubuntu-amd64-release.yml @@ -30,8 +30,8 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }} + role-session-name: githubrolesession aws-region: us-east-1 - name: Try to get tag from git @@ -101,8 +101,8 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }} + role-session-name: githubrolesession aws-region: us-east-1 - name: Create debian package diff --git a/.github/workflows/build-ubuntu-arm64-release.yml b/.github/workflows/build-ubuntu-arm64-release.yml index 514813c82cce..f78151311fdc 100644 --- a/.github/workflows/build-ubuntu-arm64-release.yml +++ b/.github/workflows/build-ubuntu-arm64-release.yml @@ -30,8 +30,8 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }} + role-session-name: githubrolesession aws-region: us-east-1 - name: Try to get tag from git @@ -88,8 +88,8 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }} + role-session-name: githubrolesession aws-region: us-east-1 - name: Try to get tag from git diff --git a/.github/workflows/build-win-release.yml b/.github/workflows/build-win-release.yml index 15502e003223..a1d6d1a510d4 100644 --- a/.github/workflows/build-win-release.yml +++ b/.github/workflows/build-win-release.yml @@ -33,11 +33,11 @@ jobs: msiexec.exe /passive /i /n https://awscli.amazonaws.com/AWSCLIV2.msi aws --version - - name: Configure AWS Credentials + - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_DEPLOY_SA_ROLE_ARN }} + role-session-name: githubrolesession aws-region: us-east-1 - name: Try to get tag from git From 841e3d58b51113be61801e3a6d4c2e4a22d1cad9 Mon Sep 17 00:00:00 2001 From: Anatoliy Dutchak Date: Wed, 11 Sep 2024 12:03:35 +0200 Subject: [PATCH 2/2] feat(marketplace): use GitHub IAM role to replace static credentials --- .github/workflows/build-public-ami.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-public-ami.yml b/.github/workflows/build-public-ami.yml index 314b110865a1..d97f7c32395e 100644 --- a/.github/workflows/build-public-ami.yml +++ b/.github/workflows/build-public-ami.yml @@ -50,8 +50,8 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.MARKETPLACE_ID }} - aws-secret-access-key: ${{ secrets.MARKETPLACE_KEY }} + role-to-assume: ${{ secrets.AWS_MARKETPLACE_SA_ROLE_ARN }} + role-session-name: githubrolesession aws-region: us-east-1 - name: Setup `packer`