Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pathogen-repo-build: Support assuming an AWS role via GitHub Actions' OIDC provider #53

Merged
merged 1 commit into from
Feb 5, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 33 additions & 14 deletions .github/workflows/pathogen-repo-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,20 @@ on:
Currently only supports docker, conda, and aws-batch.
Defaults to "docker".

The aws-batch runtime requires the secrets:
The aws-batch runtime requires AWS credentials. These may come
directly from secrets or indirectly from assuming a role via GitHub
Actions' OIDC provider.

The following secrets are used if present:

- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY

They must be defined in the repo's Actions secrets and passed to this
workflow with `secrets: inherit`.

If no secrets are present, the GitHubActionsRoleNextstrainBatchJobs
role is assumed (in both senses of the verb).
type: string
default: docker
required: false
Expand All @@ -57,7 +64,13 @@ on:

All environment variables provided via the env input and all secrets
provided via `secrets: inherit` can be passed to the build runtime
via the `--env` option.
via the `--env` option. If AWS credentials were acquired by the
GitHub Action job via role assumption, the following environment
variables are also available to be passed:

- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_SESSION_TOKEN
type: string
default: nextstrain build .
required: false
Expand Down Expand Up @@ -136,11 +149,12 @@ on:
env:
NEXTSTRAIN_GITHUB_DIR: .git/nextstrain/.github

permissions:
id-token: write

jobs:
workflow-context:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- id: workflow-context
uses: nextstrain/.github/actions/workflow-context@master
Expand All @@ -167,16 +181,6 @@ jobs:
ref: ${{ needs.workflow-context.outputs.sha }}
path: ${{ env.NEXTSTRAIN_GITHUB_DIR }}

- name: Setup runtime ${{ inputs.runtime }}
uses: ./.git/nextstrain/.github/actions/setup-nextstrain-cli
with:
cli-version: ">=7.1.0"
runtime: ${{ inputs.runtime }}
# Required to set up aws-batch as default runtime
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- if: inputs.env
name: Set environment variables
env:
Expand All @@ -199,6 +203,21 @@ jobs:
| "$NEXTSTRAIN_GITHUB_DIR"/bin/json-to-envvars
| tee -a "$GITHUB_ENV"

- if: inputs.runtime == 'aws-batch'
tsibley marked this conversation as resolved.
Show resolved Hide resolved
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: us-east-1
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_ACCESS_KEY_ID == '' && 'arn:aws:iam::827581582529:role/GitHubActionsRoleNextstrainBatchJobs' || '' }}
tsibley marked this conversation as resolved.
Show resolved Hide resolved
credential-lifetime: 43200 # seconds, or 12 hours

- name: Setup runtime ${{ inputs.runtime }}
uses: ./.git/nextstrain/.github/actions/setup-nextstrain-cli
with:
cli-version: ">=7.1.0"
runtime: ${{ inputs.runtime }}

- name: Run build via ${{ inputs.runtime }}
env:
NEXTSTRAIN_BUILD_COMMAND: ${{ inputs.run }}
Expand Down
Loading