From 9182ab8b6e6d0acffa8612dad17d413632be430d Mon Sep 17 00:00:00 2001
From: caiocsgomes <caiocsgomes@gmail.com>
Date: Thu, 31 Aug 2023 17:53:24 -0300
Subject: [PATCH] removing aws keys and adding assume aws role arch

---
 .github/workflows/deploy.yml | 43 +++++++++++++-----------------------
 1 file changed, 15 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index cb31641..a556224 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -10,31 +10,26 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
 
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
     env:
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      AWS_DEFAULT_REGION: sa-east-1
+      AWS_REGION: sa-east-1
       BUCKET_NAME: caiogomes.me
     steps:
         - name: Install hugo
           run: sudo apt install hugo
 
-        - name: Install aws cli
-          id: install-aws-cli
-          uses: unfor19/install-aws-cli-action@v1
+        - name: configure aws credentials
+          uses: aws-actions/configure-aws-credentials@v3.0.1
           with:
-            version: 2
-            verbose: false
-            arch: amd64
-            rootdir: ""
-            workdir: "" 
-
-        - name: Set AWS credentials
-          run: export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }} && export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
+            role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+            role-session-name: GitHub_to_AWS_via_FederatedOIDC
+            aws-region: ${{ env.AWS_REGION }}
 
         - name: Checkout repository
           uses: actions/checkout@v3
@@ -51,23 +46,15 @@ jobs:
     needs: build-and-deploy
     runs-on: ubuntu-latest
     env:
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      AWS_DEFAULT_REGION: sa-east-1
+      AWS_REGION: sa-east-1
       CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }}
     steps:
-      - name: Install aws cli
-        id: install-aws-cli
-        uses: unfor19/install-aws-cli-action@v1
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v3.0.1
         with:
-          version: 2
-          verbose: false
-          arch: amd64
-          rootdir: ""
-          workdir: "" 
-
-      - name: Set AWS credentials
-        run: export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }} && export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ env.AWS_REGION }}
 
       - name: Invalidate clodufront distribution
         run: aws cloudfront create-invalidation --distribution-id ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }} --paths "/*"
\ No newline at end of file