Skip to content

Commit df9c745

Browse files
feat(e2e): replace AWS_ACCESS_KEY_ID secrets with OIDC role assumption
Adds aws-role-to-assume input to .e2e-run.yml. Adds configure-aws-credentials step (pinned SHA, with role-session-name) before the Login to Registry step, conditioned on ECR registry detection. Updates e2e.yml to pass the OIDC role ARN and remove AWS secrets from the matrix credential expressions. Role: arn:aws:iam::175142243308:role/official_gha_cicd Action: aws-actions/configure-aws-credentials@7474bc4 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
1 parent f9f3042 commit df9c745

2 files changed

Lines changed: 18 additions & 2 deletions

File tree

.github/workflows/.e2e-run.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,10 @@ on:
2222
slug:
2323
required: false
2424
type: string
25+
aws-role-to-assume:
26+
required: false
27+
type: string
28+
description: "IAM role ARN to assume via OIDC for ECR authentication. When set, configure-aws-credentials runs before registry login."
2529
secrets:
2630
registry_username:
2731
required: false
@@ -36,6 +40,9 @@ env:
3640
jobs:
3741
run:
3842
runs-on: ubuntu-latest
43+
permissions:
44+
contents: read
45+
id-token: write
3946
strategy:
4047
fail-fast: false
4148
matrix:
@@ -111,6 +118,14 @@ jobs:
111118
driver-opts: |
112119
image=${{ matrix.buildkit_image }}
113120
network=host
121+
-
122+
name: Configure AWS credentials
123+
if: inputs.aws-role-to-assume != '' && (contains(inputs.registry, '.ecr.') || inputs.registry == 'public.ecr.aws')
124+
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
125+
with:
126+
role-to-assume: ${{ inputs.aws-role-to-assume }}
127+
aws-region: us-east-1
128+
role-session-name: gha-build-push-action-e2e-${{ github.run_id }}-${{ github.run_attempt }}
114129
-
115130
name: Login to Registry
116131
if: github.event_name != 'pull_request' && (inputs.type == 'remote' || env.REGISTRY_USER != '')

.github/workflows/e2e.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ name: e2e
22

33
permissions:
44
contents: read
5+
id-token: write
56

67
concurrency:
78
group: ${{ github.workflow }}-${{ github.ref }}
@@ -99,14 +100,15 @@ jobs:
99100
name: ${{ matrix.name }}
100101
registry: ${{ matrix.registry }}
101102
slug: ${{ matrix.slug }}
103+
aws-role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd
102104
secrets:
103105
# Pass only the two secrets needed by each matrix entry.
106+
# AWS ECR entries use OIDC via aws-role-to-assume instead of static keys.
104107
registry_username: >-
105108
${{
106109
matrix.auth == 'dockerhub' && secrets.DOCKERHUB_USERNAME ||
107110
matrix.auth == 'ghcr' && secrets.GHCR_USERNAME ||
108111
matrix.auth == 'gitlab' && secrets.GITLAB_USERNAME ||
109-
matrix.auth == 'aws' && secrets.AWS_ACCESS_KEY_ID ||
110112
matrix.auth == 'gar' && secrets.GAR_USERNAME ||
111113
matrix.auth == 'acr' && secrets.AZURE_CLIENT_ID ||
112114
matrix.auth == 'quay' && secrets.QUAY_USERNAME ||
@@ -118,7 +120,6 @@ jobs:
118120
matrix.auth == 'dockerhub' && secrets.DOCKERHUB_TOKEN ||
119121
matrix.auth == 'ghcr' && secrets.GHCR_PAT ||
120122
matrix.auth == 'gitlab' && secrets.GITLAB_TOKEN ||
121-
matrix.auth == 'aws' && secrets.AWS_SECRET_ACCESS_KEY ||
122123
matrix.auth == 'gar' && secrets.GAR_JSON_KEY ||
123124
matrix.auth == 'acr' && secrets.AZURE_CLIENT_SECRET ||
124125
matrix.auth == 'quay' && secrets.QUAY_TOKEN ||

0 commit comments

Comments
 (0)