From b3c56bc4aa7c29abdfc094e834f6c297ed2cc19d Mon Sep 17 00:00:00 2001 From: vfalconisumo Date: Thu, 6 Nov 2025 19:06:00 -0600 Subject: [PATCH] Replace AWS keys with IAM role Signed-off-by: vfalconisumo --- .../workflows/job_trigger-jenkins-pipeline.yml | 17 ++++++----------- .../workflow_deploy-to-pantheon-prod.yml | 3 +-- 2 files changed, 7 insertions(+), 13 deletions(-) diff --git a/.github/workflows/job_trigger-jenkins-pipeline.yml b/.github/workflows/job_trigger-jenkins-pipeline.yml index b6e561c20d..a2ce1cf338 100644 --- a/.github/workflows/job_trigger-jenkins-pipeline.yml +++ b/.github/workflows/job_trigger-jenkins-pipeline.yml @@ -15,9 +15,7 @@ on: required: true WEBOPS_JENKINS_HOST: required: true - WEBOPS_AWS_ACCESS_KEY: - required: true - WEBOPS_AWS_SECRET_KEY: + WEBOPS_AWS_ROLE_JENKINS: required: true WEBOPS_WEBHOOK_TOKEN: required: true @@ -30,11 +28,12 @@ jobs: if: always() id: ip uses: haythem/public-ip@v1.3 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 + with: + role-to-assume: ${{ secrets.WEBOPS_AWS_ROLE_JENKINS }} + aws-region: us-east-1 - name: Add runner to AWS security group ingress - env: - AWS_ACCESS_KEY_ID: ${{ secrets.WEBOPS_AWS_ACCESS_KEY }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.WEBOPS_AWS_SECRET_KEY }} - AWS_DEFAULT_REGION: ${{ secrets.WEBOPS_AWS_REGION }} run: aws ec2 authorize-security-group-ingress --group-name ${{ secrets.WEBOPS_AWS_SG_NAME }} --protocol tcp --port ${{ secrets.WEBOPS_JENKINS_PORT }} --cidr ${{ steps.ip.outputs.ipv4 }}/32 - name: Trigger Jenkins pipeline run: | @@ -43,9 +42,5 @@ jobs: -X POST \ ${{ secrets.WEBOPS_JENKINS_HOST }}:${{ secrets.WEBOPS_JENKINS_PORT || '80' }}/generic-webhook-trigger/invoke?token=${{ secrets.WEBOPS_WEBHOOK_TOKEN }} - name: Remove runner from AWS security group ingress - env: - AWS_ACCESS_KEY_ID: ${{ secrets.WEBOPS_AWS_ACCESS_KEY }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.WEBOPS_AWS_SECRET_KEY }} - AWS_DEFAULT_REGION: ${{ secrets.WEBOPS_AWS_REGION }} if: always() run: aws ec2 revoke-security-group-ingress --group-name ${{ secrets.WEBOPS_AWS_SG_NAME }} --protocol tcp --port ${{ secrets.WEBOPS_JENKINS_PORT }} --cidr ${{ steps.ip.outputs.ipv4 }}/32 diff --git a/.github/workflows/workflow_deploy-to-pantheon-prod.yml b/.github/workflows/workflow_deploy-to-pantheon-prod.yml index 943038483c..0d875bd031 100644 --- a/.github/workflows/workflow_deploy-to-pantheon-prod.yml +++ b/.github/workflows/workflow_deploy-to-pantheon-prod.yml @@ -38,8 +38,7 @@ jobs: WEBOPS_AWS_SG_NAME: ${{ secrets.WEBOPS_AWS_SG_NAME }} WEBOPS_JENKINS_PORT: ${{ secrets.WEBOPS_JENKINS_PORT }} WEBOPS_JENKINS_HOST: ${{ secrets.WEBOPS_JENKINS_HOST }} - WEBOPS_AWS_ACCESS_KEY: ${{ secrets.WEBOPS_AWS_ACCESS_KEY }} - WEBOPS_AWS_SECRET_KEY: ${{ secrets.WEBOPS_AWS_SECRET_KEY }} + WEBOPS_AWS_ROLE_JENKINS: ${{ secrets.WEBOPS_AWS_ROLE_JENKINS }} WEBOPS_WEBHOOK_TOKEN: ${{ secrets.WEBOPS_WEBHOOK_TOKEN }} notify-channel: needs: [build-site,deploy-to-pantheon,trigger-jenkins-pipeline]