Migrate AWS Roles to Azure Vault

Author: AlexFenlon

.github/workflows/oss-release.yml

@@ -121,6 +121,21 @@ jobs:
         with:
           ref: ${{ inputs.branch }}
 
+      - name: Azure login
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
+
+      - name: Setup secrets
+        id: secrets
+        run: |
+          echo "Setting secrets for job"
+          AWS_ROLE_PUBLIC_ECR=$(az keyvault secret show --name aws-public-role --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
+          echo "::add-mask::$AWS_ROLE_PUBLIC_ECR"
+          echo "AWS_ROLE_PUBLIC_ECR=$AWS_ROLE_PUBLIC_ECR" >> $GITHUB_OUTPUT
+
       - name: Authenticate to Google Cloud
         id: gcr-auth
         uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
@@ -140,7 +155,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           aws-region: us-east-1
-          role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }}
+          role-to-assume: ${{ steps.secrets.outputs.AWS_ROLE_PUBLIC_ECR }}
 
       - name: Login to Public ECR
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0

.github/workflows/plus-release.yml

@@ -215,6 +215,21 @@ jobs:
         with:
           ref: ${{ inputs.branch }}
 
+      - name: Azure login
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
+
+      - name: Setup secrets
+        id: secrets
+        run: |
+          echo "Setting secrets for job"
+          AWS_ROLE_MARKETPLACE=$(az keyvault secret show --name aws-mktpl-role --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
+          echo "::add-mask::$AWS_ROLE_MARKETPLACE"
+          echo "AWS_ROLE_MARKETPLACE=$AWS_ROLE_MARKETPLACE" >> $GITHUB_OUTPUT
+
       - name: Authenticate to Google Cloud
         id: gcr-auth
         uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
@@ -234,7 +249,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           aws-region: us-east-1
-          role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }}
+          role-to-assume: ${{ steps.secrets.outputs.AWS_ROLE_MARKETPLACE }}
 
       - name: Login to ECR
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0

.github/workflows/release.yml

@@ -437,11 +437,26 @@ jobs:
   #       with:
   #         ref: ${{ inputs.release_branch }}
 
+  #     - name: Azure login
+  #       uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+  #       with:
+  #         client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
+  #         tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
+  #         subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
+
+  #     - name: Setup secrets
+  #       id: secrets
+  #       run: |
+  #         echo "Setting secrets for job"
+  #         AWS_ROLE_MARKETPLACE=$(az keyvault secret show --name aws-mktpl-role --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
+  #         echo "::add-mask::$AWS_ROLE_MARKETPLACE"
+  #         echo "AWS_ROLE_MARKETPLACE=$AWS_ROLE_MARKETPLACE" >> $GITHUB_OUTPUT
+
   #     - name: Configure AWS Credentials
   #       uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
   #       with:
   #         aws-region: us-east-1
-  #         role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }}
+  #         role-to-assume: ${{ steps.secrets.outputs.AWS_ROLE_MARKETPLACE }}
 
   #     - name: Publish to AWS Marketplace
   #       uses: nginx/aws-marketplace-publish@accf7b4c725796b744f2ee27acc2488d76f63d32 # v1.0.8