From a93d98a0cb459b1d1283f2cbe0c99a8c14c97b6d Mon Sep 17 00:00:00 2001 From: Bryan Aguilar Date: Fri, 16 Dec 2022 14:31:32 -0800 Subject: [PATCH 1/2] Update package signer to use assumed IAM role --- .github/workflows/CI.yml | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index e6c793c1d7..0c1e95dd52 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -201,6 +201,14 @@ jobs: Invoke-WebRequest -Uri "https://awscli.amazonaws.com/AWSCLIV2.msi" -OutFile "AWSCLIV2.msi" msiexec.exe /i AWSCLIV2.msi /passive [System.Environment]::SetEnvironmentVariable('Path',$Env:Path + ";C:\\Program Files\\Amazon\\AWSCLIV2",'User') + + - name: Configure AWS Credentials + + - uses: aws-actions/configure-aws-credentials@v1-node16 + with: + role-to-assume: ${{ secrets.COLLECTOR_PROD_PKG_SIGNER_ROLE_ARN }} + aws-region: us-west-2 + - name: Sign windows artifacts run: | $pkgfile = "build\packages\windows\amd64\aws-otel-collector.msi" @@ -224,10 +232,6 @@ jobs: Throw "Could not find the signed artifact" } aws s3api get-object "--bucket" ${{ env.WIN_SIGNED_PKG_BUCKET }} "--key" $objkey $pkgfile - env: - AWS_ACCESS_KEY_ID: ${{ secrets.SIGN_PKG_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.SIGN_PKG_AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-west-2 - name: Verify package signature run: | @@ -273,14 +277,17 @@ jobs: run: | ARCH=x86_64 SOURCE_ARCH=amd64 DEST=$PACKAGING_ROOT/linux/amd64 tools/packaging/linux/create_rpm.sh ARCH=aarch64 SOURCE_ARCH=arm64 DEST=$PACKAGING_ROOT/linux/arm64 tools/packaging/linux/create_rpm.sh + + - uses: aws-actions/configure-aws-credentials@v1-node16 + with: + role-to-assume: ${{ secrets.COLLECTOR_PROD_PKG_SIGNER_ROLE_ARN }} + aws-region: us-west-2 + - name: Download Package Signing GPG key if: steps.cached_rpms.outputs.cache-hit != 'true' run: | aws secretsmanager get-secret-value --region us-west-2 --secret-id "$PKG_SIGN_PRIVATE_KEY_NAME" | jq -r ".SecretString" > pkg_sign_private.key md5sum pkg_sign_private.key - env: - AWS_ACCESS_KEY_ID: ${{ secrets.SIGN_PKG_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.SIGN_PKG_AWS_SECRET_ACCESS_KEY }} - name: Import Package Signing GPG Key if: steps.cached_rpms.outputs.cache-hit != 'true' @@ -327,14 +334,17 @@ jobs: run: | ARCH=amd64 DEST=$PACKAGING_ROOT/debian/amd64 tools/packaging/debian/create_deb.sh ARCH=arm64 DEST=$PACKAGING_ROOT/debian/arm64 tools/packaging/debian/create_deb.sh + + - uses: aws-actions/configure-aws-credentials@v1-node16 + with: + role-to-assume: ${{ secrets.COLLECTOR_PROD_PKG_SIGNER_ROLE_ARN }} + aws-region: us-west-2 + - name: Download Package Signing GPG key if: steps.cached_debs.outputs.cache-hit != 'true' run: | aws secretsmanager get-secret-value --region us-west-2 --secret-id "$PKG_SIGN_PRIVATE_KEY_NAME" | jq -r ".SecretString" > pkg_sign_private.key md5sum pkg_sign_private.key - env: - AWS_ACCESS_KEY_ID: ${{ secrets.SIGN_PKG_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.SIGN_PKG_AWS_SECRET_ACCESS_KEY }} - name: Import Package Signing GPG Key if: steps.cached_debs.outputs.cache-hit != 'true' From ededb58e4949e41a67aff76f7b9b9dce088db153 Mon Sep 17 00:00:00 2001 From: Bryan Aguilar Date: Tue, 20 Dec 2022 10:59:03 -0800 Subject: [PATCH 2/2] Fix syntax --- .github/workflows/CI.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 0c1e95dd52..74ac5c462b 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -202,8 +202,6 @@ jobs: msiexec.exe /i AWSCLIV2.msi /passive [System.Environment]::SetEnvironmentVariable('Path',$Env:Path + ";C:\\Program Files\\Amazon\\AWSCLIV2",'User') - - name: Configure AWS Credentials - - uses: aws-actions/configure-aws-credentials@v1-node16 with: role-to-assume: ${{ secrets.COLLECTOR_PROD_PKG_SIGNER_ROLE_ARN }}