From 69982b71496e1c49fac0433b1d6c0fdb4515a712 Mon Sep 17 00:00:00 2001 From: Dev Singh Date: Sun, 9 Mar 2025 18:52:28 -0500 Subject: [PATCH 1/6] use the assumable role --- .github/workflows/deploy-dev.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index dd41b01c..ff9ce769 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -26,6 +26,9 @@ jobs: run: make test_unit deploy-dev: runs-on: ubuntu-latest + permissions: + id-token: write + contents: read concurrency: group: ${{ github.event.repository.name }}-dev-env cancel-in-progress: false @@ -50,8 +53,8 @@ jobs: python-version: 3.11 - uses: aws-actions/configure-aws-credentials@v2 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::427040638965:role/GitHubActionsRole + role-session-name: Core_Dev_Deployment aws-region: us-east-1 - name: Publish to AWS run: make deploy_dev From fd6ffa300e28fbfa90548b39049f493f3ca1cd34 Mon Sep 17 00:00:00 2001 From: Dev Singh Date: Sun, 9 Mar 2025 19:00:40 -0500 Subject: [PATCH 2/6] push change --- .github/workflows/deploy-dev.yml | 2 +- .github/workflows/deploy-prod.yml | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index ff9ce769..1f7ecd2d 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -51,7 +51,7 @@ jobs: uses: actions/setup-python@v5 with: python-version: 3.11 - - uses: aws-actions/configure-aws-credentials@v2 + - uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::427040638965:role/GitHubActionsRole role-session-name: Core_Dev_Deployment diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml index 1ad62d22..77f78733 100644 --- a/.github/workflows/deploy-prod.yml +++ b/.github/workflows/deploy-prod.yml @@ -48,10 +48,10 @@ jobs: uses: actions/setup-python@v5 with: python-version: 3.11 - - uses: aws-actions/configure-aws-credentials@v2 + - uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::427040638965:role/GitHubActionsRole + role-session-name: Core_Dev_Prod_Deployment aws-region: us-east-1 - name: Publish to AWS run: make deploy_dev @@ -113,10 +113,10 @@ jobs: uses: actions/setup-python@v5 with: python-version: 3.11 - - uses: aws-actions/configure-aws-credentials@v2 + - uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::298118738376:role/GitHubActionsRole + role-session-name: Core_Dev_Prod_Deployment aws-region: us-east-1 - name: Publish to AWS run: make deploy_prod From b9faff8ba590e4f13297117339c67c59bfea6787 Mon Sep 17 00:00:00 2001 From: Dev Singh Date: Sun, 9 Mar 2025 19:03:59 -0500 Subject: [PATCH 3/6] fix id token permissions --- .github/workflows/deploy-prod.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml index 77f78733..eb810fee 100644 --- a/.github/workflows/deploy-prod.yml +++ b/.github/workflows/deploy-prod.yml @@ -29,6 +29,9 @@ jobs: concurrency: group: ${{ github.event.repository.name }}-dev cancel-in-progress: false + permissions: + id-token: write + contents: read environment: "AWS DEV" name: Deploy to DEV needs: @@ -95,6 +98,9 @@ jobs: concurrency: group: ${{ github.event.repository.name }}-prod cancel-in-progress: false + permissions: + id-token: write + contents: read needs: - test-dev environment: "AWS PROD" From c4057d9f056a7de5fa6a3b2784cab5d477c0a4a5 Mon Sep 17 00:00:00 2001 From: Dev Singh Date: Sun, 9 Mar 2025 22:08:27 -0500 Subject: [PATCH 4/6] add a test workflow --- .github/workflows/test.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 00000000..1d491908 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,21 @@ +name: AWS STS Identity Check + +on: + workflow_dispatch: + +jobs: + check-aws-identity: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::427040638965:role/GitHubActionsRole + role-session-name: Core_Dev_Deployment + aws-region: us-east-1 + + - name: Get AWS Caller Identity + run: aws sts get-caller-identity From dac434046aebd34877c1a7a58441b9e2ce8109b8 Mon Sep 17 00:00:00 2001 From: Dev Singh Date: Sun, 9 Mar 2025 22:46:30 -0500 Subject: [PATCH 5/6] part 2 --- cloudformation/iam.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudformation/iam.yml b/cloudformation/iam.yml index 4d33f98a..905b76b8 100644 --- a/cloudformation/iam.yml +++ b/cloudformation/iam.yml @@ -66,7 +66,7 @@ Resources: Version: "2012-10-17" Statement: - Action: - - secretsmanager:GetSecretValue + - secretsmanager:* Effect: Allow Resource: - Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:infra-core-api-config* From f23d771758e64008815d5bd4150db425142abf28 Mon Sep 17 00:00:00 2001 From: Dev Singh Date: Sun, 9 Mar 2025 23:41:15 -0500 Subject: [PATCH 6/6] Revert "part 2" This reverts commit dac434046aebd34877c1a7a58441b9e2ce8109b8. --- cloudformation/iam.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudformation/iam.yml b/cloudformation/iam.yml index 905b76b8..4d33f98a 100644 --- a/cloudformation/iam.yml +++ b/cloudformation/iam.yml @@ -66,7 +66,7 @@ Resources: Version: "2012-10-17" Statement: - Action: - - secretsmanager:* + - secretsmanager:GetSecretValue Effect: Allow Resource: - Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:infra-core-api-config*