Use IAM Anywhere Roles for deployment (#72)

devksingh4 · web-flow · commit 48db13c12268 · 2025-03-10T00:53:17.000-05:00
* use the assumable role * push change * fix id token permissions * add a test workflow * part 2 * Revert "part 2" This reverts commit dac4340.
diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
@@ -26,6 +26,9 @@ jobs:
         run: make test_unit
   deploy-dev:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     concurrency:
       group: ${{ github.event.repository.name }}-dev-env
       cancel-in-progress: false
@@ -48,10 +51,10 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: 3.11
-      - uses: aws-actions/configure-aws-credentials@v2
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::427040638965:role/GitHubActionsRole
+          role-session-name: Core_Dev_Deployment
           aws-region: us-east-1
       - name: Publish to AWS
         run: make deploy_dev
diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml
@@ -29,6 +29,9 @@ jobs:
     concurrency:
       group: ${{ github.event.repository.name }}-dev
       cancel-in-progress: false
+    permissions:
+      id-token: write
+      contents: read
     environment: "AWS DEV"
     name: Deploy to DEV
     needs:
@@ -48,10 +51,10 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: 3.11
-      - uses: aws-actions/configure-aws-credentials@v2
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::427040638965:role/GitHubActionsRole
+          role-session-name: Core_Dev_Prod_Deployment
           aws-region: us-east-1
       - name: Publish to AWS
         run: make deploy_dev
@@ -95,6 +98,9 @@ jobs:
     concurrency:
       group: ${{ github.event.repository.name }}-prod
       cancel-in-progress: false
+    permissions:
+      id-token: write
+      contents: read
     needs:
       - test-dev
     environment: "AWS PROD"
@@ -113,10 +119,10 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: 3.11
-      - uses: aws-actions/configure-aws-credentials@v2
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::298118738376:role/GitHubActionsRole
+          role-session-name: Core_Dev_Prod_Deployment
           aws-region: us-east-1
       - name: Publish to AWS
         run: make deploy_prod
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,21 @@
+name: AWS STS Identity Check
+
+on:
+  workflow_dispatch:
+
+jobs:
+  check-aws-identity:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::427040638965:role/GitHubActionsRole
+          role-session-name: Core_Dev_Deployment
+          aws-region: us-east-1
+
+      - name: Get AWS Caller Identity
+        run: aws sts get-caller-identity
