@@ -12,6 +12,7 @@ concurrency:
1212 cancel-in-progress : false
1313
1414permissions :
15+ id-token : write
1516 contents : read
1617
1718env :
@@ -29,13 +30,10 @@ jobs:
2930 runs-on : ubuntu-latest
3031
3132 steps :
32- # # Authenticate to AWS with the credentials stored in Github Secrets.
33- - name : Configure AWS Credentials
33+ - name : Configure AWS credentials
3434 uses : aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
3535 with :
36- # TODO(phboneff): use a better form of authentication
37- aws-access-key-id : ${{ secrets.AWS_ACCESS_KEY_ID }}
38- aws-secret-access-key : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
36+ role-to-assume : ${{ vars.AWS_IAMROLE_GITHUB_CI }}
3937 aws-region : ${{ env.AWS_REGION }}
4038
4139 - name : Checkout code
8583 tg_dir : ${{ env.TG_DIR }}
8684 tg_command : " destroy"
8785 env :
86+ ECS_EXECUTION_ROLE : ${{ vars.AWS_IAMROLE_ECS_EXECUTION }}
87+ ECS_CONFORMANCE_TASK_ROLE : ${{ vars.AWS_IAMROLE_ECS_CONFORMANCE_TASK }}
8888 TESSERA_SIGNER : unused
8989 TESSERA_VERIFIER : unused
9090
@@ -120,6 +120,8 @@ jobs:
120120 tg_dir : ${{ env.TG_DIR }}
121121 tg_command : " apply"
122122 env :
123+ ECS_EXECUTION_ROLE : ${{ vars.AWS_IAMROLE_ECS_EXECUTION }}
124+ ECS_CONFORMANCE_TASK_ROLE : ${{ vars.AWS_IAMROLE_ECS_CONFORMANCE_TASK }}
123125 INPUT_POST_EXEC_1 : |
124126 echo "ECS_CLUSTER=$(terragrunt output -raw ecs_cluster)" >> "$GITHUB_ENV"
125127INPUT_POST_EXEC_2 : |
@@ -154,3 +156,6 @@ jobs:
154156 tg_version : ${{ env.TG_VERSION }}
155157 tg_dir : ${{ env.TG_DIR }}
156158 tg_command : " destroy"
159+ env :
160+ ECS_EXECUTION_ROLE : ${{ vars.AWS_IAMROLE_ECS_EXECUTION }}
161+ ECS_CONFORMANCE_TASK_ROLE : ${{ vars.AWS_IAMROLE_ECS_CONFORMANCE_TASK }}
0 commit comments