Update CI workflow to configure AWS credentials and enhance permissions

carbonplan · Nov 21, 2024 · 004b08d · 004b08d
1 parent d6e29e2
commit 004b08d
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/.github/workflows/CI.yaml b/.github/workflows/CI.yaml
@@ -15,9 +15,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
+
 env:
-  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
   AWS_DEFAULT_REGION: us-west-2
 
 jobs:
@@ -29,7 +31,12 @@ jobs:
         shell: bash -l {0}
     steps:
       - uses: actions/checkout@v4
-
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::631969445205:role/github-action-role
+          role-session-name: offsets-db-etl-role-session
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
       - uses: actions/setup-python@v5
         with:
           python-version: '3.10'