Skip to content

Commit 7195872

Browse files
d4l3kfacebook-github-bot
d4l3k
authored and
facebook-github-bot
committed
CI: use OIDC (#256)
Summary: This switches our integration tests to use the GitHub OpenID Connect credentials provider instead of using hard coded AWS session tokens. This will issue tokens that last for 1 hour so should be a lot more secure (and trackable) than before. https://awsteele.com/blog/2021/09/15/aws-federation-comes-to-github-actions.html Pull Request resolved: #256 Test Plan: CI created PR from external repo to verify they can't generate tokens #257 Reviewed By: kiukchung Differential Revision: D31674489 Pulled By: d4l3k fbshipit-source-id: 5936c64794816eb9fafe76899af44e2f865c64df
1 parent 95ea9f5 commit 7195872

File tree

3 files changed

+58
-31
lines changed

3 files changed

+58
-31
lines changed

.github/workflows/components-integration-tests.yaml

Lines changed: 19 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@ on:
99
jobs:
1010
components-launch:
1111
runs-on: ubuntu-18.04
12+
permissions:
13+
id-token: write
14+
contents: read
1215
steps:
1316
- name: Setup Python
1417
uses: actions/setup-python@v2
@@ -17,22 +20,30 @@ jobs:
1720
architecture: x64
1821
- name: Checkout TorchX
1922
uses: actions/checkout@v2
20-
- name: Configure Kube Config
23+
- name: Configure AWS
2124
env:
22-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
23-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
25+
AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
26+
run: |
27+
if [ -n "$AWS_ROLE_ARN" ]; then
28+
export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/awscreds
29+
export AWS_DEFAULT_REGION=us-west-2
30+
31+
echo AWS_WEB_IDENTITY_TOKEN_FILE=$AWS_WEB_IDENTITY_TOKEN_FILE >> $GITHUB_ENV
32+
echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
33+
echo AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION >> $GITHUB_ENV
34+
35+
curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
36+
fi
37+
- name: Configure Kube Config
2438
run: |
2539
set -eux
26-
if [ -n "$AWS_ACCESS_KEY_ID" ]; then
40+
if [ -n "$AWS_ROLE_ARN" ]; then
2741
aws eks update-kubeconfig --region=us-west-2 --name=${{ secrets.EKS_CLUSTER_NAME }}
2842
fi
2943
- name: Configure Docker
30-
env:
31-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
32-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
3344
run: |
3445
set -eux
35-
if [ -n "$AWS_ACCESS_KEY_ID" ]; then
46+
if [ -n "$AWS_ROLE_ARN" ]; then
3647
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 495572122715.dkr.ecr.us-west-2.amazonaws.com
3748
fi
3849
- name: Install dependencies
@@ -42,8 +53,6 @@ jobs:
4253
pip install -e .[kubernetes]
4354
- name: Run Components Integration Tests
4455
env:
45-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
46-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
4756
INTEGRATION_TEST_STORAGE: ${{ secrets.INTEGRATION_TEST_STORAGE }}
4857
CONTAINER_REPO: ${{ secrets.CONTAINER_REPO }}
4958
run: scripts/component_integration_tests.py

.github/workflows/kfp-integration-tests.yaml

Lines changed: 19 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@ on:
99
jobs:
1010
kfp-launch:
1111
runs-on: ubuntu-18.04
12+
permissions:
13+
id-token: write
14+
contents: read
1215
steps:
1316
- name: Install kubectl
1417
# More info: https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
@@ -18,13 +21,24 @@ jobs:
1821
mkdir -p ~/.local/bin/kubectl
1922
mv ./kubectl ~/.local/bin/kubectl
2023
export PATH=$PATH:~/.local/bin/kubectl
21-
- name: Configure Kube Config
24+
- name: Configure AWS
2225
env:
23-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
24-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
26+
AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
27+
run: |
28+
if [ -n "$AWS_ROLE_ARN" ]; then
29+
export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/awscreds
30+
export AWS_DEFAULT_REGION=us-west-2
31+
32+
echo AWS_WEB_IDENTITY_TOKEN_FILE=$AWS_WEB_IDENTITY_TOKEN_FILE >> $GITHUB_ENV
33+
echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
34+
echo AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION >> $GITHUB_ENV
35+
36+
curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
37+
fi
38+
- name: Configure Kube Config
2539
run: |
2640
set -eux
27-
if [ -n "$AWS_ACCESS_KEY_ID" ]; then
41+
if [ -n "$AWS_ROLE_ARN" ]; then
2842
aws eks update-kubeconfig --region=us-west-2 --name=${{ secrets.EKS_CLUSTER_NAME }}
2943
fi
3044
- name: Setup Python
@@ -35,12 +49,9 @@ jobs:
3549
- name: Checkout TorchX
3650
uses: actions/checkout@v2
3751
- name: Configure Docker
38-
env:
39-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
40-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
4152
run: |
4253
set -eux
43-
if [ -n "$AWS_ACCESS_KEY_ID" ]; then
54+
if [ -n "$AWS_ROLE_ARN" ]; then
4455
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 495572122715.dkr.ecr.us-west-2.amazonaws.com
4556
fi
4657
- name: Install dependencies
@@ -50,8 +61,6 @@ jobs:
5061
python setup.py install
5162
- name: Run KFP Integration Tests
5263
env:
53-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
54-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
5564
KFP_NAMESPACE: ${{ secrets.KFP_NAMESPACE }}
5665
INTEGRATION_TEST_STORAGE: ${{ secrets.INTEGRATION_TEST_STORAGE }}
5766
CONTAINER_REPO: ${{ secrets.CONTAINER_REPO }}

.github/workflows/kubernetes-dist-train-integration-tests.yaml

Lines changed: 20 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@ on:
99
jobs:
1010
kubernetes-launch:
1111
runs-on: ubuntu-18.04
12+
permissions:
13+
id-token: write
14+
contents: read
1215
steps:
1316
- name: Setup Python
1417
uses: actions/setup-python@v2
@@ -17,22 +20,30 @@ jobs:
1720
architecture: x64
1821
- name: Checkout TorchX
1922
uses: actions/checkout@v2
20-
- name: Configure Kube Config
23+
- name: Configure AWS
2124
env:
22-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
23-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
25+
AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
26+
run: |
27+
if [ -n "$AWS_ROLE_ARN" ]; then
28+
export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/awscreds
29+
export AWS_DEFAULT_REGION=us-west-2
30+
31+
echo AWS_WEB_IDENTITY_TOKEN_FILE=$AWS_WEB_IDENTITY_TOKEN_FILE >> $GITHUB_ENV
32+
echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
33+
echo AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION >> $GITHUB_ENV
34+
35+
curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
36+
fi
37+
- name: Configure Kube Config
2438
run: |
2539
set -eux
26-
if [ -n "$AWS_ACCESS_KEY_ID" ]; then
40+
if [ -n "$AWS_ROLE_ARN" ]; then
2741
aws eks update-kubeconfig --region=us-west-2 --name=${{ secrets.EKS_CLUSTER_NAME }}
2842
fi
2943
- name: Configure Docker
30-
env:
31-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
32-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
3344
run: |
3445
set -eux
35-
if [ -n "$AWS_ACCESS_KEY_ID" ]; then
46+
if [ -n "$AWS_ROLE_ARN" ]; then
3647
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 495572122715.dkr.ecr.us-west-2.amazonaws.com
3748
fi
3849
- name: Install dependencies
@@ -41,12 +52,10 @@ jobs:
4152
pip install -e .[kubernetes]
4253
- name: Run Kubernetes Integration Tests
4354
env:
44-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
45-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
4655
INTEGRATION_TEST_STORAGE: ${{ secrets.INTEGRATION_TEST_STORAGE }}
4756
CONTAINER_REPO: ${{ secrets.CONTAINER_REPO }}
4857
run: |
49-
if [ -z "$AWS_ACCESS_KEY_ID" ]; then
58+
if [ -z "$AWS_ROLE_ARN" ]; then
5059
# only dryrun if no secrets
5160
ARGS="--dryrun"
5261
else

0 commit comments

Comments
 (0)