From a5744286d1b05b8a73f36d354227714f0b2827e8 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 17 Jun 2022 12:53:21 -0400 Subject: [PATCH] Use OIDC role assumption from GHA to AWS for remaining workflows (#6778) * Use OIDC role assumption from GHA to AWS * Use updated action with correct/updated inputs * Revert workflow until invoking repos are updated * Update secret ref * Rename secret to make migrating easier Co-authored-by: Domino Valdano <2644901+reductionista@users.noreply.github.com> --- .../build-sign-publish-chainlink/action.yml | 10 +--------- .github/workflows/build-publish.yml | 7 ++++--- .github/workflows/performance-tests.yml | 19 +++++++++---------- 3 files changed, 14 insertions(+), 22 deletions(-) diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index 924a9e04d14..3ec8226eb52 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -19,12 +19,6 @@ inputs: Eg. Public ECR repo `chainlink` and registry alias `chainlinklabs` should be `chainlinklabs/chainlink`. For a private ECR repo `chainlink` the image name should be `chainlink` default: chainlink/chainlink required: false - aws-access-key-id: - description: The IAM access key used to authenticate to ECR, used in configuring docker/login-action. Omit this and aws-secret-access-key to attempt OIDC authentication - required: false - aws-secret-access-key: - description: The IAM access key secret used to authenticate to ECR, used in configuring docker/login-action. Omit this and aws-secret-access-key to attempt OIDC authentication - required: false aws-role-to-assume: description: The AWS role to assume as the CD user, if any. Used in configuring the docker/login-action required: false @@ -92,12 +86,10 @@ runs: echo "EOF" >> $GITHUB_ENV - if: inputs.publish == 'true' - # Log in to AWS for publish to ECR, OIDC auth will be attempted instead if both access-key fields are empty + # Log in to AWS for publish to ECR name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e # v1.6.0 with: - aws-access-key-id: ${{ inputs.aws-access-key-id }} - aws-secret-access-key: ${{ inputs.aws-secret-access-key }} role-to-assume: ${{ inputs.aws-role-to-assume }} role-duration-seconds: ${{ inputs.aws-role-duration-seconds }} aws-region: ${{ inputs.aws-region }} diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml index 88a41201146..68edbd47de2 100644 --- a/.github/workflows/build-publish.yml +++ b/.github/workflows/build-publish.yml @@ -12,6 +12,9 @@ jobs: build-sign-publish-chainlink: runs-on: ubuntu-20.04 environment: build-publish + permissions: + id-token: write + contents: read steps: - name: Checkout repository uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 @@ -20,9 +23,7 @@ jobs: uses: ./.github/actions/build-sign-publish-chainlink with: publish: true - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} + aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} aws-region: ${{ secrets.AWS_REGION }} sign-images: true diff --git a/.github/workflows/performance-tests.yml b/.github/workflows/performance-tests.yml index feb490f2cac..40181aff2ac 100644 --- a/.github/workflows/performance-tests.yml +++ b/.github/workflows/performance-tests.yml @@ -10,6 +10,9 @@ on: jobs: build-chainlink: environment: integration + permissions: + id-token: write + contents: read name: Build Chainlink Image runs-on: ubuntu-latest steps: @@ -18,10 +21,8 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} - role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} + aws-region: ${{ secrets.QA_AWS_REGION }} + role-to-assume: ${{ secrets.QA_AWS_ROLE_TO_ASSUME }} role-duration-seconds: 3600 - name: Login to Amazon ECR id: login-ecr @@ -46,7 +47,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v2 - name: Run Tests - uses: smartcontractkit/ctf-ci-e2e-action@v1.0.2 + uses: smartcontractkit/ctf-ci-e2e-action@41848377703354a32d355d3f2f7cb3b9e3049b8c with: test_command_to_run: make test_perf args="--procs=10 --focus=${{ github.event.inputs.focus }}" test_download_vendor_packages_command: make gomod @@ -55,11 +56,9 @@ jobs: cl_image_tag: latest.${{ github.sha }} artifacts_location: ./integration-tests/performance/logs publish_report_paths: ./tests-perf-report.xml - QA_AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - QA_AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - QA_AWS_REGION: ${{ secrets.AWS_REGION }} - QA_AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE_TO_ASSUME }} - QA_KUBECONFIG: ${{ secrets.KUBECONFIG }} + QA_AWS_REGION: ${{ secrets.QA_AWS_REGION }} + QA_AWS_ROLE_TO_ASSUME: ${{ secrets.QA_AWS_ROLE_TO_ASSUME }} + QA_KUBECONFIG: ${{ secrets.QA_KUBECONFIG }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Publish pprof artifacts if: ${{ success() }}