@@ -150,12 +150,8 @@ resource "aws_s3_bucket_inventory" "artifacts" {
150
150
}
151
151
}
152
152
153
- data "aws_iam_openid_connect_provider" "gha" {
154
- url = " https://token.actions.githubusercontent.com"
155
- }
156
-
157
- resource "aws_iam_role" "oidc" {
158
- name = " ${ var . iam_prefix } --role"
153
+ resource "aws_iam_role" "try_builds" {
154
+ name = " ${ var . iam_prefix } --try-role"
159
155
160
156
assume_role_policy = jsonencode ({
161
157
Version = " 2012-10-17"
@@ -164,29 +160,11 @@ resource "aws_iam_role" "oidc" {
164
160
Effect = " Allow"
165
161
Action = " sts:AssumeRoleWithWebIdentity"
166
162
Principal = {
167
- Federated = " cognito-identity.amazonaws.com"
168
- }
169
- Condition = {
170
- StringEquals = {
171
- " cognito-identity.amazonaws.com:aud" = " ${ aws_cognito_identity_pool . main . id } "
172
- // This forces the caller to set the session name according to the caller's run & sha
173
- " sts:RoleSessionName" = " $${aws:RequestTag/run_id}@$${aws:RequestTag/sha}"
174
- " aws:RequestTag/repository" = " ${ var . source_repo } "
175
- // For now only allow new bors & try builds
176
- " aws:RequestTag/ref" = " refs/heads/automation/bors/try"
177
- " aws:RequestTag/event_name" = " push"
178
- }
179
- }
180
- },
181
- {
182
- Effect = " Allow"
183
- Action = " sts:TagSession"
184
- Principal = {
185
- Federated = " cognito-identity.amazonaws.com"
163
+ Federated = " arn:aws:iam::890664054962:oidc-provider/token.actions.githubusercontent.com"
186
164
}
187
165
Condition = {
188
166
StringEquals = {
189
- " cognito-identity.amazonaws. com:aud " = " ${ aws_cognito_identity_pool . main . id } "
167
+ " token.actions.githubusercontent. com:sub " = " repo: ${ var . repo } :ref:refs/heads/automation/bors/try "
190
168
}
191
169
}
192
170
}
@@ -202,8 +180,10 @@ resource "aws_iam_role" "oidc" {
202
180
Sid = " ArtifactsBucketWrite"
203
181
Effect = " Allow"
204
182
Resource = [
205
- " ${ aws_s3_bucket . artifacts . arn } /rustc-builds/$${aws:PrincipalTag/sha}/*" ,
206
- " ${ aws_s3_bucket . artifacts . arn } /rustc-builds-alt/$${aws:PrincipalTag/sha}/*" ,
183
+ " ${ aws_s3_bucket . artifacts . arn } /rustc-builds-try" ,
184
+ " ${ aws_s3_bucket . artifacts . arn } /rustc-builds-try/*" ,
185
+ " ${ aws_s3_bucket . artifacts . arn } /rustc-builds-try-alt" ,
186
+ " ${ aws_s3_bucket . artifacts . arn } /rustc-builds-try-alt/*" ,
207
187
]
208
188
Action = [
209
189
" s3:GetObject" ,
0 commit comments