This changes how GitHub Actions authenticates to AWS. Instead of using an IAM service user's access key pair, GitHub Actions will now use OIDC to assume a role in the correct account. This is a more secure method of authenticating from GitHub to AWS.
This changeset and its approach is simply an implementation of functionality shared to the quickstart by Brandon Bodnar. See: https://github.com/CMSgov/macpro-quickstart-serverless/pull/542 for more detail. In short: this is a more secure way to authenticate from GitHub to AWS, and it requires less maintenance.
Learning
N/A
Assorted Notes/Considerations
N/A
Pull Request Creator Checklist
[x] This PR has an associated issue or issues.
[x] The associated issue(s) are linked above.
[x] This PR meets all acceptance criteria for those issues.
[x] This PR and linked issue(s) are adequately documented
[x] This PR and linked issues(s) are a complete description of the changeset; an individual or team should be able to understand the issue(s) and changes by reading through this PR and it's links, with no further interaction.
[x] Someone has been assigned this PR.
[x] At least one person has been marked as reviewer on this PR.
Pull Request Reviewer/Assignee Checklist
[ ] This PR has an associated issue or issues.
[ ] The associated issue(s) are linked above.
[ ] This PR meets all acceptance criteria for those issues.
[ ] This PR and linked issue(s) are adequately documented
[ ] This PR and linked issues(s) are a complete description of the changeset; an individual or team should be able to understand the issue(s) and changes by reading through this PR and it's links, with no further interaction.
Purpose
This changes how GitHub Actions authenticates to AWS. Instead of using an IAM service user's access key pair, GitHub Actions will now use OIDC to assume a role in the correct account. This is a more secure method of authenticating from GitHub to AWS.
Linked Issues to Close
Closes https://qmacbis.atlassian.net/browse/OY2-18470?atlOrigin=eyJpIjoiZDJhMWJlYWNjMGFhNDJlYThkMDg1M2U4ZGY0OTVjOWMiLCJwIjoiaiJ9
Approach
This changeset and its approach is simply an implementation of functionality shared to the quickstart by Brandon Bodnar. See: https://github.com/CMSgov/macpro-quickstart-serverless/pull/542 for more detail. In short: this is a more secure way to authenticate from GitHub to AWS, and it requires less maintenance.
Learning
N/A
Assorted Notes/Considerations
N/A
Pull Request Creator Checklist
Pull Request Reviewer/Assignee Checklist