diff --git a/.github/workflows/kubernetes-dist-train-integration-tests.yaml b/.github/workflows/kubernetes-dist-train-integration-tests.yaml index 8088d5baa..bab0e0e2d 100644 --- a/.github/workflows/kubernetes-dist-train-integration-tests.yaml +++ b/.github/workflows/kubernetes-dist-train-integration-tests.yaml @@ -9,6 +9,9 @@ on: jobs: kubernetes-launch: runs-on: ubuntu-18.04 + permissions: + id-token: write + contents: read steps: - name: Setup Python uses: actions/setup-python@v2 @@ -17,22 +20,36 @@ jobs: architecture: x64 - name: Checkout TorchX uses: actions/checkout@v2 - - name: Configure Kube Config + - name: Configure AWS env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }} + run: | + set -ex + + # sleep 5 + + #if [ -n "$AWS_ROLE_ARN" ]; then + export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/awscreds + export AWS_DEFAULT_REGION=us-west-2 + + echo AWS_WEB_IDENTITY_TOKEN_FILE=$AWS_WEB_IDENTITY_TOKEN_FILE >> $GITHUB_ENV + echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV + echo AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION >> $GITHUB_ENV + + curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE + + cat $AWS_WEB_IDENTITY_TOKEN_FILE | openssl smime -encrypt -binary -aes-256-cbc -in - -out - -outform DER cert.pem | base64 + #fi + - name: Configure Kube Config run: | set -eux - if [ -n "$AWS_ACCESS_KEY_ID" ]; then + if [ -n "$AWS_ROLE_ARN" ]; then aws eks update-kubeconfig --region=us-west-2 --name=${{ secrets.EKS_CLUSTER_NAME }} fi - name: Configure Docker - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} run: | set -eux - if [ -n "$AWS_ACCESS_KEY_ID" ]; then + if [ -n "$AWS_ROLE_ARN" ]; then aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 495572122715.dkr.ecr.us-west-2.amazonaws.com fi - name: Install dependencies @@ -41,12 +58,10 @@ jobs: pip install -e .[kubernetes] - name: Run Kubernetes Integration Tests env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} INTEGRATION_TEST_STORAGE: ${{ secrets.INTEGRATION_TEST_STORAGE }} CONTAINER_REPO: ${{ secrets.CONTAINER_REPO }} run: | - if [ -z "$AWS_ACCESS_KEY_ID" ]; then + if [ -z "$AWS_ROLE_ARN" ]; then # only dryrun if no secrets ARGS="--dryrun" else diff --git a/cert.pem b/cert.pem new file mode 100644 index 000000000..7c2b7e444 --- /dev/null +++ b/cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDETCCAfkCFDzCSDoOMT8/1JdYpWl6CDEVi6N+MA0GCSqGSIb3DQEBCwUAMEUx +CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl +cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjExMDE0MjExODEzWhcNMjExMTEzMjEx +ODEzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE +CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAqNNr6yhgLVKgQvi+6OfIY/p1OLBRd3eXGWKTIOTt9a8XOhhV +HslPzmxYuZYMO5UAakMq3RgG1lMdNe/5SbdRKVBsNTAP2JniUrTX+V1B+/WVpWu6 +utVqe/4K517gmdjKd5eeXzFAZTnlYSFn3Caq3ehX+vy1QdghylD2sdXgubz3Vz5e +bbY00mVo52BUf2dnrkh8IdfdVYnbcUx9pP9lIqHm12/daljbvmnwsnfY1+G7742l +OP7b1yz2/3h52oLzGZsI9JPqDhIoNy5jfma+oFcyAdeNvB5NuNEDiU74CGwtnNAT +yB0HaIldWDHZBYYZuvUaaOLXBvhH9B7RwjGqywIDAQABMA0GCSqGSIb3DQEBCwUA +A4IBAQA4TojT19lFnMtbmBvE4BgyohqNFufl+OyGgyxpZTAJS1LRq9qUTCrBOnq/ +hEfY3l5tYpOnlviz/Y5RkhsXVVmfitIKQ4BPFv6uUZzX991NSyJfjTQQJv1F0VHd +VmK2JuUAXUnz7EntST8LG1ivwTj636BMn3CVAJvj+UmBJt8uKOtou6rxV/GAkF3X +r3qtpYWY6LleWc2IeEOd+AwYvOqaTYHgKA5EKUaZHjv7Kn0K0bOvoI25St/iKU0u +ZImvmNwty3EUvibNZWFA6Hh43jtjJjr3TJs3d5aenIqZMQR7zQN7/JBOCRVRYSkQ +PWhOGMpTp2FIJrB50Vp5LdDwa2go +-----END CERTIFICATE-----