aws-observability
diff --git a/‎.github/collector/docker-compose.yml‎
Lines changed: 0 additions & 9 deletions b/‎.github/collector/docker-compose.yml‎
Lines changed: 0 additions & 9 deletions
diff --git a/‎.github/workflows/docker-build-corretto-slim.yml‎
Lines changed: 17 additions & 10 deletions b/‎.github/workflows/docker-build-corretto-slim.yml‎
Lines changed: 17 additions & 10 deletions
diff --git a/‎.github/workflows/docker-build-smoke-tests-fake-backend.yml‎
Lines changed: 17 additions & 10 deletions b/‎.github/workflows/docker-build-smoke-tests-fake-backend.yml‎
Lines changed: 17 additions & 10 deletions
diff --git a/‎.github/workflows/main-build-test.yml‎
Lines changed: 0 additions & 149 deletions b/‎.github/workflows/main-build-test.yml‎
Lines changed: 0 additions & 149 deletions
diff --git a/‎.github/workflows/main-build.yml‎
Lines changed: 38 additions & 43 deletions b/‎.github/workflows/main-build.yml‎
Lines changed: 38 additions & 43 deletions
@@ -4,9 +4,6 @@ services:
     image: amazon/aws-otel-collector:latest
     command: --config /config/collector-config.yml --log-level debug
     environment:
-      - AWS_ACCESS_KEY_ID
-      - AWS_SECRET_ACCESS_KEY
-      - AWS_SESSION_TOKEN
       - AWS_ROLE_ARN
       - AWS_WEB_IDENTITY_TOKEN_FILE
     volumes:
@@ -20,9 +17,6 @@ services:
     environment:
       - INSTANCE_ID
       - LISTEN_ADDRESS
-      - AWS_ACCESS_KEY_ID
-      - AWS_SECRET_ACCESS_KEY
-      - AWS_SESSION_TOKEN
       - AWS_ROLE_ARN
       - AWS_WEB_IDENTITY_TOKEN_FILE
       - OTEL_RESOURCE_ATTRIBUTES=service.name=aws-otel-integ-test
@@ -42,9 +36,6 @@ services:
       - otel
       - app
     environment:
-      - AWS_ACCESS_KEY_ID
-      - AWS_SECRET_ACCESS_KEY
-      - AWS_SESSION_TOKEN
       - AWS_ROLE_ARN
       - AWS_WEB_IDENTITY_TOKEN_FILE
       - AWS_REGION=us-west-2
 
@@ -6,24 +6,31 @@ on:
       - scripts/docker/corretto-slim/**
       - .github/workflows/docker-build-corretto-slim.yml
 
+env:
+  AWS_DEFAULT_REGION: us-east-1
+  AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/awscreds
+
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   build-corretto:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
       - uses: gradle/wrapper-validation-action@v1
+
+      - run: sleep 5 # there's still a race condition for now
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          role-duration-seconds: 1200
-          aws-region: us-east-1
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
+
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
-        uses: docker/login-action@v1
-        with:
-          registry: public.ecr.aws
+        run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
       - name: Cache Docker layers
 
@@ -8,6 +8,14 @@ on:
       - gradle/**
       - .github/workflows/docker-build-smoke-tests-fake-backend.yml
 
+env:
+  AWS_DEFAULT_REGION: us-east-1
+  AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/awscreds
+
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   build-docker:
     runs-on: ubuntu-latest
@@ -17,18 +25,17 @@ jobs:
         with:
           java-version: 14
       - uses: gradle/wrapper-validation-action@v1
+
+      - run: sleep 5 # there's still a race condition for now
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          role-duration-seconds: 1200
-          aws-region: us-east-1
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
+
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
-        uses: docker/login-action@v1
-        with:
-          registry: public.ecr.aws
+        run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
+
       - name: Build and push docker image
         uses: burrunan/gradle-cache-action@v1
         with:
 
@@ -3,6 +3,14 @@ on:
     branches:
       - main
 
+env:
+  AWS_DEFAULT_REGION: us-east-1
+  AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/awscreds
+
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -14,18 +22,17 @@ jobs:
         with:
           java-version: 14
       - uses: gradle/wrapper-validation-action@v1
+
+      - run: sleep 5 # there's still a race condition for now
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          role-duration-seconds: 1200
-          aws-region: us-east-1
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
+
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
-        uses: docker/login-action@v1
-        with:
-          registry: public.ecr.aws
+        run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
+
       - name: Build snapshot with Gradle
         uses: burrunan/gradle-cache-action@v1
         with:
@@ -60,19 +67,15 @@ jobs:
         with:
           java-version: 14
 
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          role-duration-seconds: 1200
-          aws-region: us-east-1
+      - run: sleep 5 # there's still a race condition for now
+      - name: Configure AWS Credentials
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
 
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
-        uses: docker/login-action@v1
-        with:
-          registry: public.ecr.aws
+        run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
 
       - name: Run test containers
         run: docker-compose up --abort-on-container-exit
@@ -95,19 +98,15 @@ jobs:
         with:
           java-version: 14
 
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          role-duration-seconds: 1200
-          aws-region: us-east-1
+      - run: sleep 5 # there's still a race condition for now
+      - name: Configure AWS Credentials
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
 
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
-        uses: docker/login-action@v1
-        with:
-          registry: public.ecr.aws
+        run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
 
       - name: Run test containers
         run: docker-compose up --abort-on-container-exit
@@ -130,19 +129,15 @@ jobs:
         with:
           java-version: 14
 
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          role-duration-seconds: 1200
-          aws-region: us-east-1
+      - run: sleep 5 # there's still a race condition for now
+      - name: Configure AWS Credentials
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
 
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
-        uses: docker/login-action@v1
-        with:
-          registry: public.ecr.aws
+        run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
 
       - name: Run test containers
         run: docker-compose up --abort-on-container-exit