Use configure-aws-credentials workflow instead of passing secret_access_key
#1363
Conversation
Signed-off-by: vudiep411 <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## unstable #1363 +/- ##
============================================
- Coverage 70.62% 70.56% -0.06%
============================================
Files 117 117
Lines 63315 63315
============================================
- Hits 44714 44679 -35
- Misses 18601 18636 +35 |
| @@ -11,6 +11,7 @@ on: | |||
| required: true | |||
|
|
|||
| permissions: | |||
| id-token: write | |||
There was a problem hiding this comment.
Why do we need the write permissions here?
There was a problem hiding this comment.
This is to ensure that your workflow has the necessary permission to perform OIDC authentication with AWS.
|
|
||
| permissions: | ||
| id-token: write |
There was a problem hiding this comment.
why do we need write permissions here?
There was a problem hiding this comment.
Same as the comment above. Each job spawned in the matrix runs in a separate environment and each of this env needs permission to perform OIDC authentication with AWS.
| - name: Install AWS cli. | ||
| run: | | ||
| sudo apt-get install -y awscli | ||
|
|
There was a problem hiding this comment.
Is the aws cli installed by aws-actions/configure-aws-credentials@v4 ??
There was a problem hiding this comment.
Yes, aws-actions/configure-aws-credentials@v4 will configured the runner environment with the proper AWS credentials and CLI
|
We will also need to do the prerequisites steps for the main repo before we merge this. |
|
@vudiep411, will it be possible to add a test, where we uploads a test build binary to a test s3 bucket when ever changes are made to these workflows. With this we can be sure that when we release stuff, it doesn't break on the main valkey repository |
|
Yes it is possible, we can use github environment for that. So we can write something like this: We use env to dynamically assigned the role to assume and env. But this would required us to set up multiple OCID on different accounts not just in the workflow itself so it should be in a separate issue. For now we can just set this one up and after this looks good, I will open another issue for it if that's ok. |
|
I think we can also do it based on the github event trigger maybe?
Also, I think we should add the test on the same PR so we can run the test on this PR and know that the tests also work. We would also have to do the pre-requisites only once for both the scenarios. |
|
That's a really good suggestion. We can look into that. That way it would automated the testing of a PR with a test bucket. Definitely doable |
vudiep411
force-pushed
the
aws-creds-workflow
branch
from
5c9474a
to
cd1fe2d
Compare
Signed-off-by: vudiep411 <[email protected]>
| @@ -56,7 +77,7 @@ jobs: | |||
| - uses: ./.github/actions/generate-package-build-matrix | |||
| id: set-matrix | |||
| with: | |||
| ref: ${{ inputs.version || github.ref_name }} | |||
| ref: ${{ needs.release-build-get-meta.outputs.version }} | |||
There was a problem hiding this comment.
We can use version output from release-build-get-meta
| - name: Set bucket name | ||
| id: check-env | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "pull_request" ]]; then | ||
| echo "IS_TEST=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "IS_TEST=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
There was a problem hiding this comment.
Check if whether it is a pull request or it's an actual release (manual or automated) and output true or false. This step purpose is to know if we should use a test bucket or a prod bucket
| bucket: ${{ secrets.AWS_S3_BUCKET }} | ||
| access_key_id: ${{ secrets.AWS_S3_ACCESS_KEY_ID }} | ||
| secret_access_key: ${{ secrets.AWS_S3_ACCESS_KEY }} | ||
| bucket_name: ${{ needs.release-build-get-meta.outputs.is_test == 'true' && secrets.AWS_TEST_BUCKET || secrets.AWS_S3_BUCKET }} |
There was a problem hiding this comment.
Passing in the either the test_bucket or prod_bucket to run the reusable workflow.
New Changes
Set upTrust policy for github-action-role {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<aws_account_number>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": [
"repo:valkey/valkey:ref:refs/heads/*",
"repo:vudiep411/valkey:ref:refs/tags/*",
"repo:vudiep411/valkey:pull_request"
],
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
}Repo Secrets ResultsAWS Buckets SummaryThe PR CI build-release will build the binary files into the |
Summary
This PR fixes #1346 where we can get rid of the long term credentials by using OpenID Connect. OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in Amazon Web Services (AWS), without needing to store the AWS credentials as long-lived GitHub secrets.
Changes
We can remove these secrets that were passed in previously:
Instead we only need the
role-to-assumearn. For more information OIDC.Prerequisites
Before merging this PR, we need to make sure to set up the proper Identity providers on the production AWS account. Follow this guides.
Quick guide:
Provider url:
https://token.actions.githubusercontent.comAudience:
sts.amazonaws.com{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<aws_account_id>:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "token.actions.githubusercontent.com:sub": [ "repo:valkey-io/valkey:ref:refs/heads/unstable", "repo:valkey-io/valkey:ref:refs/tags/*" ], "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" } } } ] }Results
Github action run:
Files in S3 Dev env:
