Skip to content

Commit

Permalink
Only Use Assume Role Creds
Browse files Browse the repository at this point in the history
  • Loading branch information
sethAmazon committed Aug 4, 2022
1 parent 33af7d7 commit 56820da
Show file tree
Hide file tree
Showing 7 changed files with 80 additions and 15 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/clean_ami.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
jobs:
clean-ami:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v2
- uses: actions/setup-go@v3
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/clean_dedicated_host.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
jobs:
clean-dedicated-hosts:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v2
- uses: actions/setup-go@v3
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/integrationTest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,9 @@ jobs:
if: steps.cached_win_zip.outputs.cache-hit != 'true'
run: |
sudo apt install zip
zip -r buildMSI.zip msi_dep
mkdir buildMSI
cp -r msi_dep buildMSI
zip -r buildMSI.zip buildMSI
- name: Upload zip
if: steps.cached_win_zip.outputs.cache-hit != 'true'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,17 @@ on:
jobs:
clean-dedicated-hosts:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v2
- uses: actions/setup-go@v3

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.INTERNAL_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.INTERNAL_AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.INTERNAL_AWS_ASSUME_ROLE }}
aws-region: us-west-2

- name: Clean old dedicated host
Expand Down
22 changes: 11 additions & 11 deletions .github/workflows/nightly-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ jobs:
build:
name: Upload Nightly Binaries
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:

- name: Set up Go 1.x
Expand All @@ -18,6 +21,12 @@ jobs:
go-version: ~1.18.3
id: go

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.S3_AWS_ASSUME_ROLE }}
aws-region: us-east-1

#Need to install rpm so ubuntu can make rpm by default ubuntu can make deb
- name: Install rpm
run: sudo apt install rpm
Expand All @@ -31,14 +40,5 @@ jobs:
- name: Release
run: make nightly-release

- name: Upload binaries to latest
uses: jakejarvis/s3-sync-action@master
with:
args: --acl public-read
env:
AWS_ACCESS_KEY_ID: ${{ secrets.S3_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.S3_SECRET_ACCESS_KEY}}
AWS_REGION: 'us-east-1'
AWS_S3_BUCKET: 'amazoncloudwatch-agent'
SOURCE_DIR: 'build/bin'
DEST_DIR: 'nightly-build/latest'
- name: Upload to S3
run: aws s3 cp build/bin s3://amazoncloudwatch-agent/nightly-build/latest/ --recursive --acl public-read --source-region us-east-1
3 changes: 3 additions & 0 deletions .github/workflows/releaseTest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ jobs:
UpdatePerformanceMetrics:
name: "UpdatePerformanceMetrics"
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v2

Expand Down
54 changes: 53 additions & 1 deletion integration/terraform/ec2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,65 @@ Running integration tests
This all assumes that you are creating resources in the `us-west-2` region, as that is currently the only region that
supports the integration test AMIs.

#### Terraform IAM user permissions
#### Terraform IAM assume role permission

For ease of use, here's a generated IAM policy based on resource usage that you can attach to your IAM user that
Terraform will assume, with the required permissions. See docs
on [Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html)
for how to easily generate a new policy.

#### Creating assume role
[reference of how to create role](https://github.com/aws-actions/configure-aws-credentials)

Cloud formation template. You only need to enter org and repo (ex aws amazon-cloudwatch-agent)
```
Parameters:
GitHubOrg:
Type: String
RepositoryName:
Type: String
OIDCProviderArn:
Description: Arn for the GitHub OIDC Provider.
Default: ""
Type: String
Conditions:
CreateOIDCProvider: !Equals
- !Ref OIDCProviderArn
- ""
Resources:
Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRoleWithWebIdentity
Principal:
Federated: !If
- CreateOIDCProvider
- !Ref GithubOidc
- !Ref OIDCProviderArn
Condition:
StringLike:
token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
GithubOidc:
Type: AWS::IAM::OIDCProvider
Condition: CreateOIDCProvider
Properties:
Url: https://token.actions.githubusercontent.com
ClientIdList:
- sts.amazonaws.com
ThumbprintList:
- 6938fd4d98bab03faadb97b34396831e3780aea1
Outputs:
Role:
Value: !GetAtt Role.Arn
```

```json
{
"Version": "2012-10-17",
Expand Down

0 comments on commit 56820da

Please sign in to comment.