search

NASA-IMPACT / veda-pforge-job-runner

Apache Beam + EMR Serverless Job Runner for Pangeo Forge Recipes
2 stars 2 forks source link

Assume Github OIDC role #40

Closed abarciauskas-bgse closed 5 months ago

abarciauskas-bgse commented 5 months ago

@ranchodeluxe we already had an OIDC provider and role for EODC projects configured in the VEDA SMCE account called github-actions-role-eodc, its just been awhile since I configured it so I forgot. We could also create a new role specifically for this project, but I think that role is well-scoped to EODC projects for now. The trust policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::XXX:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:developmentseed/tile-benchmarking*",
                        "repo:developmentseed/titiler-xarray*",
                        "repo:developmentseed/titiler-cmr*",
                        "repo:NASA-IMPACT/veda-pforge-job-runner*"
                    ]
                }
            }
        }
    ]
}

I also added the EKSFullAccess policy to that role. So I think we should be good to go, as this configuration now looks very similar to what I used for titiler-xarray deployments.

I will also remove the obsolete environment variables starting with GH_* once this is ✅