CRUC-58 DevOps :: Remove Individual IAM Users and Transition to OIDC …

…or Specific Static Credentials (#282) * ♻️ (workflows): refactor AWS credentials in GitHub workflows to use OIDC role for improved security and maintainability * 🔧 (GitHub Actions): remove AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA from env and add Configure AWS Credentials step to improve security and streamline AWS credential management in workflows
liquibase · Jan 8, 2025 · badc8ee · badc8ee
1 parent 708f283
commit badc8ee
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 12 deletions.
diff --git a/.github/workflows/pro-extension-test.yml b/.github/workflows/pro-extension-test.yml
@@ -65,18 +65,12 @@ on:
       PRO_LICENSE_KEY:
         description: "PRO_LICENSE_KEY from the caller workflow"
         required: true
-      GHA_AWS_KEY_ID:
-        description: "GHA_AWS_KEY_ID from the caller workflow"
+      AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA:
+        description: "OIDC Role from the caller workflow"
         required: true
-      GHA_AWS_KEY:
-        description: "GHA_AWS_KEY from the caller workflow"
-        required: true
-
 env:
   AWS_REGION: us-east-1
   LIQUIBASE_PRO_LICENSE_KEY: ${{ secrets.PRO_LICENSE_KEY }}
-  AWS_ACCESS_KEY_ID: ${{ secrets.GHA_AWS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.GHA_AWS_KEY }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   MAVEN_VERSION: "3.9.5"
 
@@ -93,6 +87,12 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }}
+          aws-region: us-east-1
+
       - name: Set up JDK 17
         uses: actions/setup-java@v4
         with:
@@ -244,6 +244,12 @@ jobs:
           distribution: "temurin"
           cache: "maven"
 
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }}
+          aws-region: us-east-1
+
       - name: Set up Maven
         uses: stCarolas/setup-maven@v5
         with:

diff --git a/.github/workflows/sonar-pull-request.yml b/.github/workflows/sonar-pull-request.yml
@@ -25,8 +25,6 @@ jobs:
 
     env:
       LIQUIBASE_PRO_LICENSE_KEY: ${{ secrets.PRO_LICENSE_KEY }}
-      AWS_ACCESS_KEY_ID: ${{ secrets.GHA_AWS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.GHA_AWS_KEY }}
 
     steps:
       - uses: actions/checkout@v4
@@ -40,6 +38,12 @@ jobs:
           distribution: 'temurin'
           cache: 'maven'
 
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }}
+          aws-region: us-east-1
+
       # look for dependencies in maven
       - name: maven-settings-xml-action
         uses: whelk-io/maven-settings-xml-action@v22

diff --git a/.github/workflows/sonar-push.yml b/.github/workflows/sonar-push.yml
@@ -26,8 +26,6 @@ jobs:
     env:
       AWS_REGION: us-east-1
       LIQUIBASE_PRO_LICENSE_KEY: ${{ secrets.PRO_LICENSE_KEY }}
-      AWS_ACCESS_KEY_ID: ${{ secrets.GHA_AWS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.GHA_AWS_KEY }}
 
     steps:
       - uses: actions/checkout@v4
@@ -41,6 +39,12 @@ jobs:
           distribution: 'temurin'
           cache: 'maven'
 
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }}
+          aws-region: us-east-1
+
       - name: Cache SonarCloud packages
         uses: actions/cache@v4
         with: