-
Notifications
You must be signed in to change notification settings - Fork 21
72 lines (69 loc) · 2.53 KB
/
aws-auth.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: Configure AWS Credentials
on:
workflow_call:
inputs:
aws-region:
type: string
required: true
environment-name:
type: string
secrets:
role-to-assume:
required: true
gpg-passphrase:
required: true
outputs:
aws-access-key-id:
value: ${{ jobs.oidc-auth.outputs.aws-access-key-id }}
aws-secret-access-key:
value: ${{ jobs.oidc-auth.outputs.aws-secret-access-key }}
aws-session-token:
value: ${{ jobs.oidc-auth.outputs.aws-session-token }}
permissions:
contents: read
id-token: write
jobs:
oidc-auth:
name: OIDC Auth
runs-on: ubuntu-latest
environment: ${{ inputs.environment-name }}
permissions:
contents: read
id-token: write
outputs:
aws-access-key-id: ${{ steps.encrypt-aws-access-key-id.outputs.out }}
aws-secret-access-key: ${{ steps.encrypt-aws-secret-access-key.outputs.out }}
aws-session-token: ${{ steps.encrypt-aws-session-token.outputs.out }}
steps:
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
sts.us-west-2.amazonaws.com:443
- id: auth
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: us-west-2
role-to-assume: "${{ secrets.role-to-assume }}"
- name: Encrypt aws-access-key-id
id: encrypt-aws-access-key-id
run: |
encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_ACCESS_KEY_ID") | base64 -w0)
echo "out=$encrypted" >> $GITHUB_OUTPUT
env:
GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}
- name: Encrypt aws-secret-access-key
id: encrypt-aws-secret-access-key
run: |
encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SECRET_ACCESS_KEY") | base64 -w0)
echo "out=$encrypted" >> $GITHUB_OUTPUT
env:
GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}
- name: Encrypt aws-session-token
id: encrypt-aws-session-token
run: |
encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SESSION_TOKEN") | base64 -w0)
echo "out=$encrypted" >> $GITHUB_OUTPUT
env:
GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}