chore: Migrated from long-term IAM to OIDC (#596)

kg-aws · web-flow · commit 2a4dddd5eb59 · 2024-08-01T09:58:24.000-04:00
* Migrated from long-term IAM to OIDC
diff --git a/.github/workflows/test-workflow.yml b/.github/workflows/test-workflow.yml
@@ -5,6 +5,10 @@ on:
 
 name: Integration Test
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   deploy:
     name: Deploy
@@ -19,10 +23,10 @@ jobs:
         echo Integration test run: githubactionsamazonecsdeplo-NWcjHIgDJLXw:ecb0a69e-514e-4d6c-b21e-dda87ed159e4
 
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v1
+      uses: aws-actions/configure-aws-credentials@v4
       with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubActionsDeployTaskIntegrationTests
+        role-session-name: deploy_task_integration_tests
         aws-region: us-west-2
         
     - name: Deploy Amazon ECS task definition with one-off task and wait for task stopped set to false
diff --git a/test-workflow.yml b/test-workflow.yml
@@ -5,6 +5,10 @@ on:
 
 name: Integration Test
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   deploy:
     name: Deploy
@@ -19,10 +23,10 @@ jobs:
         echo Integration test run: BUILD_ID
 
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v1
+      uses: aws-actions/configure-aws-credentials@v4
       with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubActionsDeployTaskIntegrationTests
+        role-session-name: deploy_task_integration_tests
         aws-region: us-west-2
 
     - name: Deploy Amazon ECS task definition with one-off task and wait for task stopped set to false
