Use AWS OIDC to get AWS creds

Signed-off-by: Jordan Jacobelli <[email protected]>
nv-morpheus · Mar 7, 2023 · 6d0e70d · 6d0e70d
1 parent 7a6ea6a
commit 6d0e70d
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 8 deletions.
diff --git a/.github/workflows/ci_pipe.yml b/.github/workflows/ci_pipe.yml
@@ -36,16 +36,10 @@ on:
         required: true
       CONDA_TOKEN:
         required: true
-      GHA_AWS_ACCESS_KEY_ID:
-        required: true
-      GHA_AWS_SECRET_ACCESS_KEY:
-        required: true
       NGC_API_KEY:
         required: true
 
 env:
-  AWS_ACCESS_KEY_ID: "${{ secrets.GHA_AWS_ACCESS_KEY_ID }}"
-  AWS_SECRET_ACCESS_KEY: "${{ secrets.GHA_AWS_SECRET_ACCESS_KEY }}"
   CHANGE_TARGET: "${{ github.base_ref }}"
   GH_TOKEN: "${{ github.token }}"
   GIT_COMMIT: "${{ github.sha }}"
@@ -67,6 +61,8 @@ jobs:
       image: ${{ inputs.container }}
     strategy:
       fail-fast: true
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout
@@ -76,6 +72,12 @@ jobs:
           path: 'mrc'
           fetch-depth: 0
 
+      - name: Get AWS credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+
       - name: Check
         shell: bash
         run: ./mrc/ci/scripts/github/checks.sh
@@ -93,6 +95,8 @@ jobs:
       fail-fast: true
       matrix:
         build_cc: ["gcc", "clang"]
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout
@@ -101,6 +105,12 @@ jobs:
           lfs: false
           path: 'mrc'
 
+      - name: Get AWS credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+
       - name: Build:linux:x86_64
         shell: bash
         env:
@@ -125,6 +135,8 @@ jobs:
       fail-fast: true
       matrix:
         build_cc: ["gcc", "clang"]
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout
@@ -133,6 +145,12 @@ jobs:
           lfs: false
           path: 'mrc'
 
+      - name: Get AWS credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+
       - name: Test:linux:x86_64
         shell: bash
         env:
@@ -155,6 +173,8 @@ jobs:
       image: ${{ inputs.test_container }}
     strategy:
       fail-fast: true
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout
@@ -163,6 +183,12 @@ jobs:
           lfs: false
           path: 'mrc'
 
+      - name: Get AWS credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+
       - name: Build
         shell: bash
         run: ./mrc/ci/scripts/github/build.sh
@@ -185,6 +211,8 @@ jobs:
       image: ${{ inputs.container }}
     strategy:
       fail-fast: true
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout
@@ -193,6 +221,12 @@ jobs:
           lfs: false
           path: 'mrc'
 
+      - name: Get AWS credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+
       - name: build_docs
         shell: bash
         run: ./mrc/ci/scripts/github/docs.sh
@@ -210,6 +244,8 @@ jobs:
       options: --cap-add=sys_nice
     strategy:
       fail-fast: true
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout
@@ -218,6 +254,12 @@ jobs:
           lfs: false
           path: 'mrc'
 
+      - name: Get AWS credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+
       - name: pre_benchmark
         shell: bash
         run: ./mrc/ci/scripts/github/pre_benchmark.sh
@@ -242,6 +284,8 @@ jobs:
       image: ${{ inputs.container }}
     strategy:
       fail-fast: true
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout
@@ -251,6 +295,12 @@ jobs:
           path: 'mrc'
           fetch-depth: 0
 
+      - name: Get AWS credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+
       - name: conda
         shell: bash
         env:

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -38,6 +38,4 @@ jobs:
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
       CONDA_TOKEN: ${{ secrets.CONDA_TOKEN }}
-      GHA_AWS_ACCESS_KEY_ID: ${{ secrets.GHA_AWS_ACCESS_KEY_ID }}
-      GHA_AWS_SECRET_ACCESS_KEY: ${{ secrets.GHA_AWS_SECRET_ACCESS_KEY }}
       NGC_API_KEY: ${{ secrets.NGC_API_KEY }}