Use AWS OIDC to get AWS creds #742
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jjacobelli
added
non-breaking
ajschmidt8
approved these changes
Mar 7, 2023
dagardner-nv
approved these changes
Mar 7, 2023
mdemoret-nv
approved these changes
Mar 7, 2023
Signed-off-by: Jordan Jacobelli <jjacobelli@nvidia.com>
Signed-off-by: Jordan Jacobelli <jjacobelli@nvidia.com>
|
/merge |
dagardner-nv
pushed a commit
to dagardner-nv/Morpheus
that referenced
this pull request
Mar 7, 2023
This PR is using the AWS OIDC to get AWS credentials ([doc](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)). Currently we are using permanent tokens that we need to manually rotate every 90 days. This PR is removing this requirement. The `AWS_ROLE_ARN` and `AWS_REGION` are orgs variables defined here: https://github.com/organizations/nv-morpheus/settings/variables/actions. Authors: - Jordan Jacobelli (https://github.com/jjacobelli) Approvers: - AJ Schmidt (https://github.com/ajschmidt8) - David Gardner (https://github.com/dagardner-nv) - Michael Demoret (https://github.com/mdemoret-nv) URL: nv-morpheus#742
ajschmidt8
added a commit
to ajschmidt8/Morpheus
that referenced
this pull request
Mar 8, 2023
This PR is a continuation of nv-morpheus#742. Omitting the other keys in the `permissions` block sets them to `none` ([src](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#overview)). This is probably not a concern for `nv-morpheus`, but it caused issues for some private RAPIDS repositories so I wanted to update the `nv-morpheus` repos for consistency. To remedy this, this PR includes the following changes: - Keeps the `id-token` permission as `write`, but sets the remaining permissions as described in the `restricted` column [here](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) - Also sets `pull_request` to `read` so that `fetch_base_branch` in `common.sh` can use it - Moves the `permissions` block to the top of `ci_pipe.yml` to DRY it up - Removes the `permissions` block from `pull_request.yml` since that workflow only calls `ci_pipe.yml` and therefore is redundant
rapids-bot bot
pushed a commit
that referenced
this pull request
Mar 8, 2023
This PR is a continuation of #742. Omitting the other keys in the `permissions` block sets them to `none` ([src](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#overview)). This is probably not a concern for `nv-morpheus`, but it caused issues for some private RAPIDS repositories so I wanted to update the `nv-morpheus` repos for consistency. To remedy this, this PR includes the following changes: - Keeps the `id-token` permission as `write`, but sets the remaining permissions as described in the `restricted` column [here](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) - Also sets `pull_request` to `read` so that `fetch_base_branch` in `common.sh` can use it - Moves the `permissions` block to the top of `ci_pipe.yml` to DRY it up - ~~Removes the `permissions` block from `pull_request.yml` since that workflow only calls `ci_pipe.yml` and therefore is redundant~~ (this is required. otherwise this error occurs https://github.com/nv-morpheus/Morpheus/actions/runs/4359998192) Authors: - AJ Schmidt (https://github.com/ajschmidt8) - David Gardner (https://github.com/dagardner-nv) Approvers: - David Gardner (https://github.com/dagardner-nv) URL: #745
ajschmidt8
added a commit
to dagardner-nv/Morpheus
that referenced
this pull request
Mar 8, 2023
This PR is a continuation of nv-morpheus#742. Omitting the other keys in the `permissions` block sets them to `none` ([src](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#overview)). This is probably not a concern for `nv-morpheus`, but it caused issues for some private RAPIDS repositories so I wanted to update the `nv-morpheus` repos for consistency. To remedy this, this PR includes the following changes: - Keeps the `id-token` permission as `write`, but sets the remaining permissions as described in the `restricted` column [here](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) - Also sets `pull_request` to `read` so that `fetch_base_branch` in `common.sh` can use it - Moves the `permissions` block to the top of `ci_pipe.yml` to DRY it up - ~~Removes the `permissions` block from `pull_request.yml` since that workflow only calls `ci_pipe.yml` and therefore is redundant~~ (this is required. otherwise this error occurs https://github.com/nv-morpheus/Morpheus/actions/runs/4359998192) Authors: - AJ Schmidt (https://github.com/ajschmidt8) - David Gardner (https://github.com/dagardner-nv) Approvers: - David Gardner (https://github.com/dagardner-nv) URL: nv-morpheus#745
rapids-bot bot
pushed a commit
that referenced
this pull request
Mar 13, 2023
This PR is using the AWS OIDC to get AWS credentials ([doc](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)). Currently we are using permanent tokens that we need to manually rotate every 90 days. This PR is removing this requirement. The `AWS_ROLE_ARN` and `AWS_REGION` are orgs variables defined here: https://github.com/organizations/nv-morpheus/settings/variables/actions. Authors: - Jordan Jacobelli (https://github.com/jjacobelli) - David Gardner (https://github.com/dagardner-nv) Approvers: - AJ Schmidt (https://github.com/ajschmidt8) - Jordan Jacobelli (https://github.com/jjacobelli) - Michael Demoret (https://github.com/mdemoret-nv) URL: #742 Authors: - David Gardner (https://github.com/dagardner-nv) - Jordan Jacobelli (https://github.com/jjacobelli) - AJ Schmidt (https://github.com/ajschmidt8) Approvers: - AJ Schmidt (https://github.com/ajschmidt8) - Michael Demoret (https://github.com/mdemoret-nv) URL: #743
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is using the AWS OIDC to get AWS credentials (doc). Currently we are using permanent tokens that we need to manually rotate every 90 days. This PR is removing this requirement.
The
AWS_ROLE_ARNandAWS_REGIONare orgs variables defined here: https://github.com/organizations/nv-morpheus/settings/variables/actions.