From 46895ab8006fc861ca6a6212286227d02873dfd7 Mon Sep 17 00:00:00 2001
From: Simon Li <orpheus+devel@gmail.com>
Date: Wed, 1 Nov 2023 21:09:40 +0000
Subject: [PATCH] Activate AWS Curvenote GitHub OIDC credentials

---
 .github/workflows/cd.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 5c71f96fb..c638f9479 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -228,6 +228,13 @@ jobs:
           - federation_member: curvenote
             helm_version: ""
             experimental: false
+            aws_deployment_role: arn:aws:iam::166088433508:role/binderhub-github-oidc-mybinderorgdeploy
+            aws_region: us-east-2
+
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - name: "Stage 0: Update env vars based on job matrix arguments"
@@ -286,6 +293,14 @@ jobs:
         with:
           version: ${{ env.GCLOUD_SDK_VERION }}
 
+      - name: "Stage 1: Configure AWS credentials"
+        if: matrix.federation_member == 'curvenote'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ matrix.aws_deployment_role }}
+          aws-region: ${{ matrix.aws_region }}
+          role-session-name: mybinder-github-cd
+
       - name: "Stage 1: Install kubectl ${{ env.KUBECTL_VERSION }}"
         uses: azure/setup-kubectl@v3.2
         with: