Skip to content

Commit 83227ce

Browse files
Crola1702Crola1702
authored
OIDC deploy (#450)
* Use aws-configure-credentials for OIDC deploy Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com> * Fix aws-action syntax Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com> * Test configure credentials Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com> * Test describe permissions Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com> * List permissions in a different way Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com> * List permissions in a different way Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com> * List permissions in a different way Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com> * Test identity from dockerfiles Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com> * Check if credentials defined Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com> * Fix syntax Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com> * Check if not defined Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com> * Add session token to aws configuration Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com> * Add session token to all distributions Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com> --------- Signed-off-by: Crola1702 <cristobal.arroyo@ekumenlabs.com>
1 parent adf33db commit 83227ce

File tree

7 files changed

+26
-18
lines changed

7 files changed

+26
-18
lines changed

.github/workflows/nightly-upload.yml

Lines changed: 16 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -10,26 +10,29 @@ jobs:
1010
upload:
1111
name: Upload docs to production
1212
runs-on: ubuntu-20.04
13+
permissions:
14+
id-token: write
15+
contents: read
1316
steps:
1417
- name: Checkout
1518
uses: actions/checkout@v2
16-
- name: Setup aws cli
17-
run: |
18-
sudo apt-get update &&
19-
sudo apt-get install curl &&
20-
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" &&
21-
unzip awscliv2.zip &&
22-
sudo ./aws/install --update &&
23-
aws --version
19+
- name: Configure AWS Credentials
20+
id: creds
21+
uses: aws-actions/configure-aws-credentials@v4
22+
with:
23+
aws-region: us-east-1
24+
role-to-assume: arn:aws:iam::200670743174:role/github-oidc-deployment-gz-web-app
25+
# Need to run ./build_docs.sh
26+
output-credentials: true
2427
- name: Run nightly upload
25-
run: cd tools && ./build_docs.sh all
28+
run: |
29+
cd tools && ./build_docs.sh all
2630
shell: bash
2731
env:
2832
GZ_VERSION_PASSWORD: ${{ secrets.GZ_VERSION_PASSWORD }}
29-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
30-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
33+
AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
34+
AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
35+
AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
3136
- name: Invalidate Cloudfront distribution
3237
run: |
33-
aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }} &&
34-
aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} &&
3538
aws cloudfront create-invalidation --distribution-id ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }} --paths '/*' --region us-east-1

tools/Dockerfile.citadel

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,10 @@ ARG GZ_VERSION_PASSWORD
1313
ARG GZ_VERSION_DATE
1414
ARG AWS_ACCESS_KEY_ID
1515
ARG AWS_SECRET_ACCESS_KEY
16+
ARG AWS_SESSION_TOKEN
1617

1718
COPY scripts/install_common_deps.sh scripts/install_common_deps.sh
18-
RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY
19+
RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY $AWS_SESSION_TOKEN
1920

2021
COPY scripts/build_gz.sh scripts/build_gz.sh
2122

tools/Dockerfile.fortress

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,10 @@ ARG GZ_VERSION_PASSWORD
1313
ARG GZ_VERSION_DATE
1414
ARG AWS_ACCESS_KEY_ID
1515
ARG AWS_SECRET_ACCESS_KEY
16+
ARG AWS_SESSION_TOKEN
1617

1718
COPY scripts/install_common_deps.sh scripts/install_common_deps.sh
18-
RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY
19+
RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY $AWS_SESSION_TOKEN
1920

2021
COPY scripts/build_gz.sh scripts/build_gz.sh
2122

tools/Dockerfile.garden

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,10 @@ ARG GZ_VERSION_PASSWORD
1313
ARG GZ_VERSION_DATE
1414
ARG AWS_ACCESS_KEY_ID
1515
ARG AWS_SECRET_ACCESS_KEY
16+
ARG AWS_SESSION_TOKEN
1617

1718
COPY scripts/install_common_deps.sh scripts/install_common_deps.sh
18-
RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY
19+
RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY $AWS_SESSION_TOKEN
1920

2021
COPY scripts/build_gz.sh scripts/build_gz.sh
2122

tools/Dockerfile.harmonic

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,10 @@ ARG GZ_VERSION_PASSWORD
1313
ARG GZ_VERSION_DATE
1414
ARG AWS_ACCESS_KEY_ID
1515
ARG AWS_SECRET_ACCESS_KEY
16+
ARG AWS_SESSION_TOKEN
1617

1718
COPY scripts/install_common_deps.sh scripts/install_common_deps.sh
18-
RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY
19+
RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY $AWS_SESSION_TOKEN
1920
RUN echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/pkgs-osrf-archive-keyring.gpg] http://packages.osrfoundation.org/gazebo/ubuntu-prerelease $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/gazebo-prerelease.list > /dev/null \
2021
&& apt-get update
2122

tools/build_docs.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@
2929

3030
if [[ $1 == 'all' || $1 == 'citadel' || $1 == 'Citadel' ]]; then
3131
echo -e "\e[46m\e[30mUploading documentation for Citadel\e[0m\e[39m"
32-
docker build -t gz-docs-builder -f Dockerfile.citadel --build-arg GZ_VERSION_PASSWORD --build-arg GZ_VERSION_DATE=`date -Iseconds` --no-cache --build-arg AWS_ACCESS_KEY_ID --build-arg AWS_SECRET_ACCESS_KEY .
32+
docker build -t gz-docs-builder -f Dockerfile.citadel --build-arg GZ_VERSION_PASSWORD --build-arg GZ_VERSION_DATE=`date -Iseconds` --no-cache --build-arg AWS_ACCESS_KEY_ID --build-arg AWS_SECRET_ACCESS_KEY --build-arg AWS_SESSION_TOKEN .
3333
docker image rm -f gz-docs-builder
3434
docker image prune -f
3535
fi

tools/scripts/install_common_deps.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,4 +34,5 @@ sudo ./aws/install
3434
# Configure AWS so that API docs can be uploaded to s3.
3535
aws configure set aws_access_key_id $1
3636
aws configure set aws_secret_access_key $2
37+
aws configure set aws_session_token $3
3738
aws configure set default.region us-east-1

0 commit comments

Comments
 (0)