PoC: AssumeRole approach for IPA Metric Collection

Author: yelizhenden-mdb

.github/workflows/release-IPA-metrics.yml

@@ -40,11 +40,16 @@ jobs:
         working-directory: tools/spectral/ipa/metrics/scripts
         run: node runMetricCollection.js "${{ github.workspace }}/v2.json"
 
+      - name: aws configure
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.IPA_METRIC_COLLECTION_AWS_S3_ROLE_TO_ASSUME_STAGING}}
+          aws-region: ${{ vars.AWS_DEFAULT_REGION}}
+
       - name: Dump Metric Collection Job Data to S3
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.IPA_S3_BUCKET_DW_PROD_USERNAME }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.IPA_S3_BUCKET_DW_PROD_PASSWORD }}
-          S3_BUCKET_PREFIX: ${{ secrets.IPA_S3_BUCKET_DW_PROD_PREFIX }}
+        with:
+          AWS_REGION: ${{ vars.AWS_DEFAULT_REGION}}
+          S3_BUCKET_PREFIX: ${{ secrets.IPA_S3_BUCKET_DW_STAGING_PREFIX}}
         working-directory: tools/spectral/ipa/metrics/scripts
         run: node dataDump.js
 

tools/spectral/ipa/metrics/metricS3Upload.js

@@ -2,7 +2,10 @@ import { PutObjectCommand, S3ServiceException } from '@aws-sdk/client-s3';
 import config from './config.js';
 import path from 'path';
 import fs from 'node:fs';
-import { getS3Client, getS3FilePath } from './utils/dataDumpUtils.js';
+import {
+  getS3FilePath,
+  getS3Client
+} from './utils/dataDumpUtils.js';
 
 /**
  * Upload IPA product metrics to Data Warehouse S3

tools/spectral/ipa/metrics/utils/dataDumpUtils.js

@@ -10,9 +10,7 @@ function loadS3Config() {
   }
   return {
     aws: {
-      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
-      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
-      region: 'us-east-1',
+      region: process.env.AWS_REGION,
     },
     s3: {
       prefix: process.env.S3_BUCKET_PREFIX,
@@ -29,14 +27,14 @@ export function getS3FilePath() {
   return { bucketName, key };
 }
 
+/**
+ * Gets an S3 client configured to use AssumeRole credentials
+ * @returns {S3Client} Configured S3 client
+ */
 export function getS3Client() {
-  const AWSConfig = loadS3Config();
+  const S3Config = loadS3Config();
 
-  return new S3Client({
-    credentials: {
-      accessKeyId: AWSConfig.aws.accessKeyId,
-      secretAccessKey: AWSConfig.aws.secretAccessKey,
-    },
-    region: AWSConfig.aws.region,
-  });
+  // When running in GitHub Actions with aws-actions/configure-aws-credentials,
+  // the SDK will automatically use the credentials from the environment
+  return new S3Client({ region: S3Config.aws.region });
 }