Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use S3 OIDC credentials provider #211

Merged
merged 1 commit into from
Jun 8, 2023
Merged

Use S3 OIDC credentials provider #211

merged 1 commit into from
Jun 8, 2023

Conversation

mdedetrich
Copy link
Contributor

@mdedetrich mdedetrich commented Apr 23, 2022
edited
Loading

About this change - What it does

Uses AWS OIDC provider for credentials rather than raw key/secret

Why this way

Using github's secrets has the issue where if someone creates a pull request that it outside of the Aiven org (which ultimately means creating a fork) then github-actions will not expose the secrets for security reasons.

The proper way to solve this problem is to use the OIDC provider https://github.com/aws-actions/configure-aws-credentials which afaik creates the same key/secret in environment variables however those specific key/secret that is generated is temporary so even if a bad actor gets access to them they would have already been expired.

With the latest version of sbt-github-actions merged (see #410) its now possible to do this.

@mdedetrich mdedetrich marked this pull request as draft April 23, 2022 11:48
@mdedetrich mdedetrich force-pushed the use-s3-oidc-credentials-provider branch 2 times, most recently from 2a50e4f to 7fea342 Compare April 27, 2022 12:51
@mdedetrich
Copy link
Contributor Author

PR is currently blocked by sbt/sbt-github-actions#105

@mdedetrich mdedetrich added the s3 Specifically related to Amazon's S3 storage backend label May 9, 2022
@mdedetrich mdedetrich added the upstream Issues that require changes/co-operation with upstream libraries/projects label May 19, 2022
@mdedetrich mdedetrich force-pushed the use-s3-oidc-credentials-provider branch from 7fea342 to 4991c63 Compare May 24, 2022 17:54
@mdedetrich mdedetrich force-pushed the use-s3-oidc-credentials-provider branch 4 times, most recently from 4729fc0 to 3ea6a36 Compare June 6, 2023 15:51
@mdedetrich mdedetrich marked this pull request as ready for review June 6, 2023 16:33
@mdedetrich mdedetrich force-pushed the use-s3-oidc-credentials-provider branch from 3ea6a36 to db00fc2 Compare June 6, 2023 16:36
@coveralls
Copy link

Pull Request Test Coverage Report for Build 5191098729

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+17.3%) to 76.053%
Totals Coverage Status
Change from base Build 5191066908: 17.3%
Covered Lines: 343
Relevant Lines: 451
💛 - Coveralls

@mdedetrich mdedetrich removed the upstream Issues that require changes/co-operation with upstream libraries/projects label Jun 6, 2023
@mdedetrich mdedetrich merged commit 2cf4317 into main Jun 8, 2023
@mdedetrich mdedetrich deleted the use-s3-oidc-credentials-provider branch June 8, 2023 17:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reta reta reta approved these changes

@jlprat jlprat Awaiting requested review from jlprat

@RyanSkraba RyanSkraba Awaiting requested review from RyanSkraba

@snuyanzin snuyanzin Awaiting requested review from snuyanzin

@ahmedsobeh ahmedsobeh Awaiting requested review from ahmedsobeh

Assignees
No one assigned
Labels
s3 Specifically related to Amazon's S3 storage backend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mdedetrich @coveralls @reta