removing aws keys and adding assume aws role arch

caiocsgomes · Aug 31, 2023 · 9182ab8 · 9182ab8
1 parent c51e158
commit 9182ab8
Showing 1 changed file with 15 additions and 28 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -10,31 +10,26 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
 
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
     env:
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      AWS_DEFAULT_REGION: sa-east-1
+      AWS_REGION: sa-east-1
       BUCKET_NAME: caiogomes.me
     steps:
         - name: Install hugo
           run: sudo apt install hugo
 
-        - name: Install aws cli
-          id: install-aws-cli
-          uses: unfor19/install-aws-cli-action@v1
+        - name: configure aws credentials
+          uses: aws-actions/[email protected]
           with:
-            version: 2
-            verbose: false
-            arch: amd64
-            rootdir: ""
-            workdir: "" 
-
-        - name: Set AWS credentials
-          run: export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }} && export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
+            role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+            role-session-name: GitHub_to_AWS_via_FederatedOIDC
+            aws-region: ${{ env.AWS_REGION }}
 
         - name: Checkout repository
           uses: actions/checkout@v3
@@ -51,23 +46,15 @@ jobs:
     needs: build-and-deploy
     runs-on: ubuntu-latest
     env:
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      AWS_DEFAULT_REGION: sa-east-1
+      AWS_REGION: sa-east-1
       CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }}
     steps:
-      - name: Install aws cli
-        id: install-aws-cli
-        uses: unfor19/install-aws-cli-action@v1
+      - name: configure aws credentials
+        uses: aws-actions/[email protected]
         with:
-          version: 2
-          verbose: false
-          arch: amd64
-          rootdir: ""
-          workdir: "" 
-
-      - name: Set AWS credentials
-        run: export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }} && export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ env.AWS_REGION }}
 
       - name: Invalidate clodufront distribution
         run: aws cloudfront create-invalidation --distribution-id ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }} --paths "/*"