@@ -24,26 +24,28 @@ jobs:
2424 with :
2525 python-version : 3.x
2626 - name : Install environment
27- env :
28- MYTOKEN : ${{ secrets.MYTOKEN }}
2927 run : |
3028 curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 > jq
3129 chmod +x jq
3230 pip install yq ansible git+https://github.com/tdviet/fedcloudclient.git
33- curl -L https://github.com/oidc-mytoken/client/releases/download/v0.5.2/mytoken_0.5.2_linux_64-bit.tar.gz \
34- | tar -xzf -
35- mkdir ~/.mytoken
36- curl https://raw.githubusercontent.com/oidc-mytoken/client/master/config/example-config.yaml \
37- | sed 's/default_provider:/default_provider: "egi"/g' \
38- > ~/.mytoken/config.yaml
3931 # add PWD to the PATH
4032 echo "$PWD" >> "$GITHUB_PATH"
41- # add OIDC access token to ENV
42- OIDC_TOKEN=$(./mytoken AT --MT-env MYTOKEN)
43- echo "::add-mask::$OIDC_TOKEN"
44- echo "OIDC_TOKEN=$OIDC_TOKEN" >> "$GITHUB_ENV"
4533name : Configure providers access
34+ env :
35+ CLIENT_ID : ${{ secrets.CLIENT_ID }}
36+ CLIENT_SECRET : ${{ secrets.CLIENT_SECRET }}
4637 run : |
38+ # using parametric scopes to only have access to cloud.egi.eu VO
39+ SCOPE="openid%20email%20profile%20voperson_id"
40+ SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu"
41+ SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=member#aai.egi.eu"
42+ SCOPE="$SCOPE%20entitlements:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu"
43+ SCOPE="$SCOPE%20entitlements:urn:mace:egi.eu:group:cloud.egi.eu:role=member#aai.egi.eu"
44+ OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \
45+ -d "grant_type=client_credentials&client_id=$CLIENT_ID&scope=$SCOPE&client_secret=$CLIENT_SECRET" \
46+ | jq -r ".access_token")
47+ echo "::add-mask::$OIDC_TOKEN"
48+ echo "OIDC_TOKEN=$OIDC_TOKEN" >> "$GITHUB_ENV"
4749 cd deployment
4850 ./site-config.sh
4951name : Setup Terraform
0 commit comments