Open sebranchett opened 2 years ago
Having some doubts about this one.
Made a .github/workflows/save_CF_template.yml at commit 4d3e8ec. Got: Searching for AMI in 123456789012:us-east-1 [Error at /ec2-instance] Need to perform AWS calls for account 123456789012, but no credentials have been configured [Error at /ec2-instance/Instance] Need to perform AWS calls for account 123456789012, but no credentials have been configured
Specified: CDK_DEFAULT_ACCOUNT: "123456789012" # this is a fake CDK_DEFAULT_REGION: "eu-central-1" # but searches us-east-1. I don't understand this
Looks like I need to provide AWS Credentials. This is the way to go: https://github.com/aws-actions/configure-aws-credentials#examples and set up a role to assume in AWS and OpenID Connect to AWS: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
Lookint at my cdk.out/ec2-instance.template.json, it contains my Account ID, when referencing the input/output bucket. I don't think I want to publish my Account ID on GitHub.
I should maybe revisit this issue after solving parameter issue #3.
cdk.out/ec2-instance.template.json no longer contains an account ID. BUT, 'cdk synth' does require valid credentials: https://docs.aws.amazon.com/cdk/v2/guide/cli.html section "Specifying credentials and region" specifies "The CDK Toolkit needs to know your AWS account credentials and the AWS region into which you are deploying, not only for deployment operations but also to retrieve context values during synthesis.". I tried everything I could think of too, just in case.
I can store encrypted access keys to my AWS account in this repository's secrets, BUT "Anyone with collaborator access to this repository can use these secrets for Actions.". That's not a problem at the moment, but when I'm happy with everything, I want to transfer this repository to the TU-Delft-ICT-Innovation organisation. It doesn't feel right that the organisation is then dependent on my AWS account.
@mmaschenk, help, I'm talking to myself here. 😃 What do you think? Create a dedicated AWS account for all collaborators on CDK templates for research? Use those credentials to automatically 'cdk synth' when we create a release and store the CDK template with the release?
Perhaps using a GitHub action on creating a release. (Idea Nathan.) This would mean that researchers could use the template without going through the CDK. (Request Mark.)