CLOUDP-270507: Use federated credentials (#324)

Author: blva

.github/workflows/generate-openapi.yml

@@ -21,11 +21,8 @@ on:
     secrets: # all secrets are passed explicitly in this workflow
       api_bot_pat:
         required: true
-      aws_access_key_id:
+      aws_s3_role_to_assume:
         required: true
-      aws_secret_access_key:
-        required: true
-      
 
 permissions:
   contents: write
@@ -61,11 +58,14 @@ jobs:
       - name: Add permissions to execute scripts
         run: |
           chmod +x release-scripts/*.sh  
+      - name: aws configure
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.aws_s3_role_to_assume }}
+          aws-region: ${{inputs.aws_default_region}}
       - name: Retrieve Specs
         env:
           AWS_DEFAULT_REGION: ${{inputs.aws_default_region}}
-          AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
           S3_BUCKET: ${{ inputs.aws_s3_bucket }}
         run: ./release-scripts/download_specs.sh
       - name: Generate Federated Spec

.github/workflows/release-changelog.yml

@@ -25,9 +25,7 @@ on:
     secrets: # all secrets are passed explicitly in this workflow
       api_bot_pat:
         required: true
-      aws_access_key_id:
-        required: true
-      aws_secret_access_key:
+      aws_s3_role_to_assume:
         required: true
 
 permissions:
@@ -89,11 +87,14 @@ jobs:
         - name: Add permissions to execute scripts
           run: |
             chmod +x release-scripts/*.sh
+        - name: aws configure
+          uses: aws-actions/configure-aws-credentials@v4
+          with:
+            role-to-assume: ${{ secrets.aws_s3_role_to_assume }}
+            aws-region: ${{inputs.aws_default_region}}
         - name: Generate Changelog
           env:
             AWS_DEFAULT_REGION: ${{inputs.aws_default_region}}
-            AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
-            AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
             S3_BUCKET: ${{ inputs.aws_s3_bucket }}
           run: ./release-scripts/generate_changelog.sh
         - name: Upload revision and base folders for debugging

.github/workflows/release-spec-runner.yml

@@ -50,8 +50,7 @@ jobs:
     uses: ./.github/workflows/release-spec.yml
     secrets:
       api_bot_pat: ${{ secrets.API_BOT_PAT }}
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_DEV }}
-      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_DEV }}
+      aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
       jira_api_token: ${{ secrets.JIRA_API_TOKEN }}
     with:
       aws_default_region: ${{ vars.AWS_DEFAULT_REGION}}
@@ -68,8 +67,7 @@ jobs:
     uses: ./.github/workflows/release-spec.yml
     secrets:
         api_bot_pat: ${{ secrets.API_BOT_PAT }}
-        aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_QA }}
-        aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_QA }}
+        aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
         jira_api_token: ${{ secrets.JIRA_API_TOKEN }}
     with:
         aws_default_region: ${{ vars.AWS_DEFAULT_REGION}}
@@ -86,8 +84,7 @@ jobs:
     uses: ./.github/workflows/release-spec.yml
     secrets:
         api_bot_pat: ${{ secrets.API_BOT_PAT }}
-        aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_STAGING }}
-        aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGING }}
+        aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
         jira_api_token: ${{ secrets.JIRA_API_TOKEN }}
     with:
         aws_default_region: ${{ vars.AWS_DEFAULT_REGION}}
@@ -104,8 +101,7 @@ jobs:
     uses: ./.github/workflows/release-spec.yml
     secrets:
         api_bot_pat: ${{ secrets.API_BOT_PAT }}
-        aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_PROD }}
-        aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PROD }}
+        aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
         postman_api_key: ${{ secrets.POSTMAN_API_KEY }}
         workspace_id: ${{ secrets.WORKSPACE_ID }}
         jira_api_token: ${{ secrets.JIRA_API_TOKEN }}
@@ -125,8 +121,7 @@ jobs:
     uses: ./.github/workflows/release-spec-v1.yml
     secrets:
       api_bot_pat: ${{ secrets.API_BOT_PAT }}
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_PROD }}
-      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PROD }}
+      aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
       mms_deployed_sha_url: ${{ secrets.MMS_DEPLOYED_SHA_URL_PROD }}
     with:
       aws_default_region: ${{ vars.AWS_DEFAULT_REGION}}

.github/workflows/release-spec-v1.yml

@@ -21,9 +21,7 @@ on:
     secrets: # all secrets are passed explicitly in this workflow
       api_bot_pat:
         required: true
-      aws_access_key_id:
-        required: true
-      aws_secret_access_key:
+      aws_s3_role_to_assume:
         required: true
       mms_deployed_sha_url:
         required: true
@@ -37,11 +35,14 @@ jobs:
     name: Release OpenAPI Spec for V1 (DEPRECATED) APIs
     runs-on: ubuntu-latest
     steps:
+      - name: aws configure
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.aws_s3_role_to_assume }}
+          aws-region: ${{inputs.aws_default_region}}
       - name: Download v1 Spec
         env:
           AWS_DEFAULT_REGION: ${{inputs.aws_default_region}}
-          AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
           S3_BUCKET: ${{ inputs.aws_s3_bucket }}
           MMS_DEPLOYED_SHA_URL: ${{secrets.mms_deployed_sha_url}}
         run: |

.github/workflows/release-spec.yml

@@ -33,16 +33,14 @@ on:
     secrets: # all secrets are passed explicitly in this workflow
       api_bot_pat:
         required: true
-      aws_access_key_id:
-        required: true
-      aws_secret_access_key:
-        required: true
       postman_api_key:
         required: false
       workspace_id:
         required: false
       jira_api_token:
         required: true
+      aws_s3_role_to_assume:
+        required: true
 
 permissions:
   contents: write
@@ -54,8 +52,7 @@ jobs:
     uses: ./.github/workflows/generate-openapi.yml
     secrets:
       api_bot_pat: ${{ secrets.api_bot_pat }}
-      aws_access_key_id: ${{ secrets.aws_access_key_id }}
-      aws_secret_access_key: ${{ secrets.aws_secret_access_key }}
+      aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
     with:
       aws_default_region: ${{ inputs.aws_default_region}}
       aws_s3_bucket: ${{ inputs.aws_s3_bucket}}
@@ -170,8 +167,7 @@ jobs:
     uses: ./.github/workflows/release-changelog.yml
     secrets:
         api_bot_pat: ${{ secrets.api_bot_pat }}
-        aws_access_key_id: ${{ secrets.aws_access_key_id }}
-        aws_secret_access_key: ${{ secrets.aws_secret_access_key }}
+        aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
     with:
         aws_default_region: ${{ inputs.aws_default_region}}
         aws_s3_bucket: ${{ inputs.aws_s3_bucket}}