Use OIDC to assume CI AWS role (#627)

JuliaCloud · Jun 7, 2023 · df874f1 · df874f1
1 parent a7dae3d
commit df874f1
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 33 deletions.
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -12,6 +12,11 @@ on:
 jobs:
   test:
     name: Julia ${{ matrix.version }} - ${{ matrix.os }} - ${{ matrix.arch }}
+    permissions:
+      # Required for interacting with GitHub's OIDC Token endpoint:
+      # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-permissions-settings
+      id-token: write
+      contents: read  # Required for `actions/checkout`
     runs-on: ${{ matrix.os }}
     timeout-minutes: 30
     continue-on-error: ${{ matrix.version == 'nightly' }}
@@ -36,6 +41,11 @@ jobs:
       MINIO_REGION_NAME: aregion
     steps:
       - uses: actions/checkout@v2
+      - name: Assume AWS role
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/AWS.jl
+          aws-region: us-east-1
       - name: MinIO server setup
         run: |
           case "$RUNNER_OS" in
@@ -73,9 +83,6 @@ jobs:
           git config --global user.name Tester
           git config --global user.email [email protected]
       - uses: julia-actions/julia-runtest@latest
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
   slack:
     name: Notify Slack Failure
     needs: test

diff --git a/test/AWSConfig.jl b/test/AWSConfig.jl
@@ -7,10 +7,9 @@
         patch = Patches._assume_role_patch("AssumeRole"; access_key=access_key_id)
 
         config = withenv(
+            [k => nothing for k in filter(startswith("AWS_"), keys(ENV))]...,
             "AWS_CONFIG_FILE" => joinpath(config_dir, "config"),
             "AWS_SHARED_CREDENTIALS_FILE" => joinpath(config_dir, "credentials"),
-            "AWS_ACCESS_KEY_ID" => nothing,
-            "AWS_SECRET_ACCESS_KEY" => nothing,
         ) do
             apply(patch) do
                 AWSConfig(; profile="default")
@@ -23,13 +22,16 @@
     @testset "default profile section names" begin
         allowed_default_sections = ["default", "profile default"]
         mktemp() do config_path, _
-            for default_section_str in allowed_default_sections
-                config = """
-                [$default_section_str]
-                region = xx-yy-1
-                """
-                write(config_path, config)
-                @test aws_get_region(; profile="default", config=config_path) == "xx-yy-1"
+            withenv([k => nothing for k in filter(startswith("AWS_"), keys(ENV))]...) do
+                for default_section_str in allowed_default_sections
+                    config = """
+                    [$default_section_str]
+                    region = xx-yy-1
+                    """
+                    write(config_path, config)
+                    region = aws_get_region(; profile="default", config=config_path)
+                    @test region == "xx-yy-1"
+                end
             end
         end
     end

diff --git a/test/resources/aws_jl_test.yaml b/test/resources/aws_jl_test.yaml
@@ -1,33 +1,66 @@
+# `aws cloudformation create-stack --stack-name AWS-jl-test --template-body file://aws_jl_test.yaml --capabilities CAPABILITY_NAMED_IAM`
 ---
 AWSTemplateFormatVersion: 2010-09-09
 Description: >-
   A stack for testing AWS.jl from public CI
 
 Parameters:
-  PublicCIUser:
-    Description: User which can assume the testing role
+  GitHubOrg:
+    Description: GitHub organization used as part of assuming the CI role
     Type: String
+    AllowedPattern: ^[\w.-]+$
+    Default: JuliaCloud
+
+  GitHubRepo:
+    Description: GitHub repository used as part of assuming the CI role
+    Type: String
+    AllowedPattern: ^[\w.-]+$
+    Default: AWS.jl
+
 
 Resources:
+  PublicCIRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Description: Role used for testing
+      RoleName: !Ref GitHubRepo
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              # Requires that an Identify Provider has been manually added in the AWS account.
+              # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html#manage-oidc-provider-console
+              # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws
+              Federated: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
+            Action: sts:AssumeRoleWithWebIdentity
+            Condition:
+              StringEquals:
+                token.actions.githubusercontent.com:aud: sts.amazonaws.com
+                token.actions.githubusercontent.com:sub:
+                    - !Sub repo:${GitHubOrg}/${GitHubRepo}:ref:refs/heads/trying
+                    - !Sub repo:${GitHubOrg}/${GitHubRepo}:ref:refs/heads/staging
+                    - !Sub repo:${GitHubOrg}/${GitHubRepo}:ref:refs/heads/master
+
   StackInfoPolicy:
     Type: AWS::IAM::ManagedPolicy
     Properties:
       Description: Allow access to stack outputs
-      Users:
-        - !Ref PublicCIUser
+      Roles:
+        - !Ref PublicCIRole
       PolicyDocument:
         Version: 2012-10-17
         Statement:
           - Effect: Allow
             Action: cloudformation:DescribeStacks
             Resource: !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*
 
-  IAMPolicy:
+  IAMTestPolicy:
     Type: AWS::IAM::Policy
     Properties:
-      PolicyName: IAMPolicy
-      Users:
-        - !Ref PublicCIUser
+      PolicyName: !Sub ${GitHubRepo}-IAMTestPolicy
+      Roles:
+        - !Ref PublicCIRole
       PolicyDocument:
         Version: 2012-10-17
         Statement:
@@ -38,12 +71,12 @@ Resources:
               - iam:DeletePolicy
             Resource:
               - !Sub arn:aws:iam::${AWS::AccountId}:policy/aws-jl-test-*
-  SecretsManagerPolicy:
+  SecretsManagerTestPolicy:
     Type: AWS::IAM::Policy
     Properties:
-      PolicyName: SecretsManagerTestPolicy
-      Users:
-        - !Ref PublicCIUser
+      PolicyName: !Sub ${GitHubRepo}-SecretsManagerTestPolicy
+      Roles:
+        - !Ref PublicCIRole
       PolicyDocument:
         Version: 2012-10-17
         Statement:
@@ -58,9 +91,9 @@ Resources:
   GlacierTestPolicy:
     Type: AWS::IAM::Policy
     Properties:
-      PolicyName: GlacierTestPolicy
-      Users:
-        - !Ref PublicCIUser
+      PolicyName: !Sub ${GitHubRepo}-GlacierTestPolicy
+      Roles:
+        - !Ref PublicCIRole
       PolicyDocument:
         Version: 2012-10-17
         Statement:
@@ -77,9 +110,9 @@ Resources:
   S3TestPolicy:
     Type: AWS::IAM::Policy
     Properties:
-      PolicyName: S3TestPolicy
-      Users:
-        - !Ref PublicCIUser
+      PolicyName: !Sub ${GitHubRepo}-S3TestPolicy
+      Roles:
+        - !Ref PublicCIRole
       PolicyDocument:
         Version: 2012-10-17
         Statement:
@@ -116,9 +149,9 @@ Resources:
   SQSTestPolicy:
     Type: AWS::IAM::Policy
     Properties:
-      PolicyName: SQSTestPolicy
-      Users:
-        - !Ref PublicCIUser
+      PolicyName: !Sub ${GitHubRepo}-SQSTestPolicy
+      Roles:
+        - !Ref PublicCIRole
       PolicyDocument:
         Version: 2012-10-17
         Statement: