Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use configure-aws-credentials workflow instead of passing secret_access_key #1362

Closed
wants to merge 13 commits into from
Closed

Use configure-aws-credentials workflow instead of passing secret_access_key #1362

wants to merge 13 commits into from

Conversation

vudiep411
Copy link
Contributor

Summary

This PR fixes #1346 where we can get rid of the long term credentials by using OpenID Connect. OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in Amazon Web Services (AWS), without needing to store the AWS credentials as long-lived GitHub secrets.

Changes

We can remove these secrets that were passed in previously:

token: ${{ secrets.GITHUB_TOKEN }}
      bucket: ${{ secrets.AWS_S3_BUCKET }}
      access_key_id: ${{ secrets.AWS_S3_ACCESS_KEY_ID }}
      secret_access_key: ${{ secrets.AWS_S3_ACCESS_KEY }}

Instead we only need the role-to-assume arn. For more information OIDC.

Prerequisites

Before merging this PR, we need to make sure to set up the proper Identity providers on the production AWS account. Follow this guides.
Quick guide:

  1. Create an Identity provider with OpenID Connect.
    Provider url: https://token.actions.githubusercontent.com

    Audience: sts.amazonaws.com
Screenshot 2024-11-26 at 1 02 23 PM
  1. Assign the role into this new provider with this trust policy like below
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<aws_account_id>:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:valkey-io/valkey:ref:refs/heads/unstable",
                        "repo:valkey-io/valkey:ref:refs/tags/*"
                    ],
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
  1. In Github secrets, Add these secrets:
Screenshot 2024-11-26 at 2 11 02 PM

Results

Github action run:
Screenshot 2024-11-26 at 2 06 17 PM

Files in S3 Dev env:
Screenshot 2024-11-26 at 2 09 42 PM

Note: the failed workflow can be found in this issue #1343 which will be in a separate PR.

vudiep411 and others added 12 commits November 24, 2024 14:02
@vudiep411
Improved workflow code via AWS OIDC
6928770
@vudiep411
test
d484f5c
@vudiep411
improve workflow pattern, bumb aws-cred-conf ver
eda6877
@vudiep411
Merge branch 'valkey-io:unstable' into build-release-workflow
2db5c14
@vudiep411
Merge pull request #1 from vudiep411/build-release-workflow
295a03b 
Build release workflow
@RayaCoo @vudiep411
Optimize sdscatrepr by batch processing printable characters (valkey-…
946cd7a 
…io#1342)

Optimize sdscatrepr by reducing realloc calls, furthermore, we can reduce memcpy calls by
batch processing of consecutive printable characters.

Signed-off-by: Ray Cao <[email protected]>
Co-authored-by: Ray Cao <[email protected]>
Signed-off-by: vudiep411 <[email protected]>
@enjoy-binbin @vudiep411
Save open's errno when opening temp rdb fails to prevent it from bein…
fc1a409 
…g modified (valkey-io#1347)

Apparently on Mac, sleep will modify errno to ETIMEDOUT, and then it
prints the misleading message: Operation timed out.

Signed-off-by: Binbin <[email protected]>
Signed-off-by: vudiep411 <[email protected]>
@enjoy-binbin @vudiep411
Avoid double close on repl_transfer_fd (valkey-io#1349)
67d40ce 
The code is ok before 2de544c,
but now we will set server.repl_transfer_fd right after dfd was
initiated, and in here we have a double close error since dfd and
server.repl_transfer_fd are the same fd.

Also move the declaration of dfd/maxtries to a small scope to avoid
the confusion since they are only used in this code.

Signed-off-by: Binbin <[email protected]>
Signed-off-by: vudiep411 <[email protected]>
@naglera @vudiep411
Add tag for dual-channel logs (valkey-io#999)
882d9dc 
This PR introduces a consistent tagging system for dual-channel logs.
The goal is to improve log readability and filterability, making it
easier for operators to manage and analyze log entries.

Resolves valkey-io#986

---------

Signed-off-by: naglera <[email protected]>
Signed-off-by: vudiep411 <[email protected]>
@vudiep411
Improved workflow code via AWS OIDC
d38a9b7 
Signed-off-by: vudiep411 <[email protected]>
@vudiep411
test
4b6b7a7 
Signed-off-by: vudiep411 <[email protected]>
@vudiep411
improve workflow pattern, bumb aws-cred-conf ver
7154dc5 
Signed-off-by: vudiep411 <[email protected]>
@vudiep411 vudiep411 changed the title Aws creds workflow Use configure-aws-credentials workflow instead of passing secret_access_key Nov 26, 2024
@vudiep411
Sync with unstable
9073a16 
Signed-off-by: vudiep411 <[email protected]>
@vudiep411 vudiep411 closed this Nov 26, 2024
@vudiep411 vudiep411 deleted the aws-creds-workflow branch November 26, 2024 23:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use configure-aws-credentials instead of passing secret_access_key
4 participants
@vudiep411 @RayaCoo @enjoy-binbin @naglera