Revert "Use aws-credentials action to configure creds bc it uses OIDC by default (#110)" (#111)

This reverts commit 16bd8a4.

Author: Anuraag Agrawal

.github/collector/docker-compose.yml

@@ -4,10 +4,8 @@ services:
     image: amazon/aws-otel-collector:latest
     command: --config /config/collector-config.yml
     environment:
-      - AWS_ACCESS_KEY_ID
-      - AWS_SECRET_ACCESS_KEY
-      - AWS_SESSION_TOKEN
       - AWS_ROLE_ARN
+      - AWS_WEB_IDENTITY_TOKEN_FILE
     volumes:
       - .:/config
       - /tmp/awscreds:/tmp/awscreds
@@ -19,10 +17,8 @@ services:
     environment:
       - INSTANCE_ID
       - LISTEN_ADDRESS
-      - AWS_ACCESS_KEY_ID
-      - AWS_SECRET_ACCESS_KEY
-      - AWS_SESSION_TOKEN
       - AWS_ROLE_ARN
+      - AWS_WEB_IDENTITY_TOKEN_FILE
       - OTEL_RESOURCE_ATTRIBUTES=service.name=aws-otel-integ-test
       - OTEL_EXPORTER_OTLP_ENDPOINT=http://otel:4317
       - AWS_REGION=us-west-2
@@ -41,10 +37,8 @@ services:
       - otel
       - app
     environment:
-      - AWS_ACCESS_KEY_ID
-      - AWS_SECRET_ACCESS_KEY
-      - AWS_SESSION_TOKEN
       - AWS_ROLE_ARN
+      - AWS_WEB_IDENTITY_TOKEN_FILE
       - AWS_REGION=us-west-2
     volumes:
       - /tmp/awscreds:/tmp/awscreds

.github/workflows/docker-build-corretto-slim.yml

@@ -8,6 +8,7 @@ on:
 
 env:
   AWS_DEFAULT_REGION: us-east-1
+  AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/awscreds
 
 permissions:
   id-token: write
@@ -22,10 +23,11 @@ jobs:
 
       - run: sleep 5 # there's still a race condition for now
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
+
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
         run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
 

.github/workflows/docker-build-smoke-tests-fake-backend.yml

@@ -10,6 +10,7 @@ on:
 
 env:
   AWS_DEFAULT_REGION: us-east-1
+  AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/awscreds
 
 permissions:
   id-token: write
@@ -27,10 +28,11 @@ jobs:
 
       - run: sleep 5 # there's still a race condition for now
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
+
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
         run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
 

.github/workflows/main-build.yml

@@ -5,6 +5,7 @@ on:
 
 env:
   AWS_DEFAULT_REGION: us-east-1
+  AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/awscreds
 
 permissions:
   id-token: write
@@ -24,10 +25,11 @@ jobs:
 
       - run: sleep 5 # there's still a race condition for now
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
+
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
         run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
 
@@ -67,10 +69,11 @@ jobs:
 
       - run: sleep 5 # there's still a race condition for now
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
+
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
         run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
 
@@ -97,10 +100,11 @@ jobs:
 
       - run: sleep 5 # there's still a race condition for now
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
+
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
         run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
 
@@ -127,10 +131,11 @@ jobs:
 
       - run: sleep 5 # there's still a race condition for now
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
+
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
         run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
 

.github/workflows/nightly-upstream-snapshot-build.yml

@@ -5,6 +5,7 @@ on:
 
 env:
   AWS_DEFAULT_REGION: us-east-1
+  AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/awscreds
 
 permissions:
   id-token: write
@@ -24,10 +25,11 @@ jobs:
 
       - run: sleep 5 # there's still a race condition for now
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
+
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
         run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
 

.github/workflows/patch-release-build.yml

@@ -12,6 +12,7 @@ on:
 
 env:
   AWS_DEFAULT_REGION: us-east-1
+  AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/awscreds
 
 permissions:
   id-token: write
@@ -66,10 +67,11 @@ jobs:
 
       - run: sleep 5 # there's still a race condition for now
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
+
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR
         run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
 

.github/workflows/release-build.yml

@@ -7,6 +7,7 @@ on:
 
 env:
   AWS_DEFAULT_REGION: us-east-1
+  AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/awscreds
 
 permissions:
   id-token: write
@@ -24,10 +25,11 @@ jobs:
 
       - run: sleep 5 # there's still a race condition for now
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+        run: |
+          export AWS_ROLE_ARN=${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
+
+          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
       - name: Login to ECR1
         run: aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
 

.github/workflows/soak-testing.yml

@@ -99,6 +99,8 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
           role-duration-seconds: 21600 # 6 Hours
           aws-region: ${{ env.AWS_DEFAULT_REGION }}