Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use AWS OIDC to get AWS creds #294

Merged
merged 1 commit into from
Mar 7, 2023
Merged

Use AWS OIDC to get AWS creds #294

merged 1 commit into from
Mar 7, 2023

Conversation

jjacobelli
Copy link
Contributor

This PR is using the AWS OIDC to get AWS credentials (doc). Currently we are using permanent tokens that we need to manually rotate every 90 days. This PR is removing this requirement.

The AWS_ROLE_ARN and AWS_REGION are orgs variables defined here: https://github.com/organizations/nv-morpheus/settings/variables/actions.

@jjacobelli jjacobelli self-assigned this Mar 7, 2023
@jjacobelli jjacobelli added improvement Improvement to existing functionality non-breaking Non-breaking change labels Mar 7, 2023
@jjacobelli jjacobelli marked this pull request as ready for review March 7, 2023 14:37
@jjacobelli jjacobelli requested a review from a team as a code owner March 7, 2023 14:37
@jjacobelli
Use AWS OIDC to get AWS creds
5156ae9 
Signed-off-by: Jordan Jacobelli <[email protected]>
@codecov
Copy link

codecov bot commented Mar 7, 2023

Codecov Report

Merging #294 (5156ae9) into branch-23.03 (7a6ea6a) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files

Impacted file tree graph

@@              Coverage Diff              @@
##           branch-23.03     #294   +/-   ##
=============================================
  Coverage         72.95%   72.95%           
=============================================
  Files               381      381           
  Lines             13117    13117           
  Branches            992      991    -1     
=============================================
  Hits               9569     9569           
  Misses             3548     3548
Flag Coverage Δ
cpp 68.69% <ø> (-0.01%) ⬇️
py 41.04% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7a6ea6a...5156ae9. Read the comment docs.

@dagardner-nv
Copy link
Contributor

/merge

@rapids-bot rapids-bot bot merged commit 588a956 into nv-morpheus:branch-23.03 Mar 7, 2023
@jjacobelli jjacobelli deleted the aws-oidc branch March 7, 2023 17:44
ajschmidt8 added a commit to ajschmidt8/MRC that referenced this pull request Mar 8, 2023
@ajschmidt8
Update workflow permissions block
6873f0a 
This PR is a continuation of nv-morpheus#294.

Omitting the other keys in the `permissions` block sets them to `none` ([src](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#overview)).

This is probably not a concern for `nv-morpheus`, but it caused issues for some private RAPIDS repositories so I wanted to update the `nv-morpheus` repos for consistency.

To remedy this, this PR includes the following changes:

- Keeps the `id-token` permission as `write`, but sets the remaining permissions as described in the `restricted` column [here](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
  - Also sets `pull_request` to `read` so that `fetch_base_branch` in `common.sh` can use it
- Moves the `permissions` blocks to the top of the workflows to DRY them up
@ajschmidt8 ajschmidt8 mentioned this pull request Mar 8, 2023
Merged
rapids-bot bot pushed a commit that referenced this pull request Mar 8, 2023
@ajschmidt8
Update workflow permissions block (#296)
d3f9d4c 
This PR is a continuation of #294.

Omitting the other keys in the `permissions` block sets them to `none` ([src](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#overview)).

This is probably not a concern for `nv-morpheus`, but it caused issues for some private RAPIDS repositories so I wanted to update the `nv-morpheus` repos for consistency.

To remedy this, this PR includes the following changes:

- Keeps the `id-token` permission as `write`, but sets the remaining permissions as described in the `restricted` column [here](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
  - Also sets `pull_request` to `read` so that `fetch_base_branch` in `common.sh` can use it
- Moves the `permissions` blocks to the top of the workflows to DRY them up

Authors:
  - AJ Schmidt (https://github.com/ajschmidt8)

Approvers:
  - David Gardner (https://github.com/dagardner-nv)

URL: #296
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ajschmidt8 ajschmidt8 ajschmidt8 approved these changes

@dagardner-nv dagardner-nv dagardner-nv approved these changes

Assignees

@jjacobelli jjacobelli

Labels
improvement Improvement to existing functionality non-breaking Non-breaking change
Projects
No open projects
MRC Boards
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jjacobelli @dagardner-nv @ajschmidt8