chore(ci): change token permissions / update aws-credentials action (#…

…5861) * Improving security * Improving security
aws-powertools · Jan 13, 2025 · 09001b2 · 09001b2
1 parent 1b81fbf
commit 09001b2
Show file tree

Hide file tree

Showing 8 changed files with 32 additions and 23 deletions.
diff --git a/.github/workflows/bootstrap_region.yml b/.github/workflows/bootstrap_region.yml
@@ -1,3 +1,5 @@
+name: Region Bootstrap
+
 # bootstraps new regions
 #
 # PURPOSE
@@ -27,7 +29,6 @@ on:
         required: true
         description: AWS region to bootstrap (i.e. eu-west-1)
 
-name: Region Bootstrap
 run-name: Region Bootstrap ${{ inputs.region }}
 
 permissions:
@@ -38,13 +39,13 @@ jobs:
     name: Install CDK
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
       id-token: write
     environment: layer-${{ inputs.environment }}
     steps:
       - id: credentials
         name: AWS Credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ inputs.region }}
           role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
@@ -69,7 +70,7 @@ jobs:
     name: Copy Layers
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
       id-token: write
     strategy:
       matrix:
@@ -90,7 +91,7 @@ jobs:
     steps:
       - id: credentials
         name: AWS Credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: us-east-1
           role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
@@ -106,4 +107,4 @@ jobs:
         run: go install github.com/aws-powertools/actions/layer-balancer/cmd/balance@latest
       - id: run-balance
         name: Run Balance
-        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name ${{ matrix.layer }} -dry-run=false
+        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name ${{ matrix.layer }} -dry-run=false
diff --git a/.github/workflows/layer_govcloud.yml b/.github/workflows/layer_govcloud.yml
@@ -1,3 +1,5 @@
+name: Layer Deployment (GovCloud)
+
 # GovCloud Layer Publish
 # ---
 # This workflow publishes a specific layer version in an AWS account based on the environment input.
@@ -32,9 +34,11 @@ on:
         type: string
         required: true
 
-name: Layer Deployment (GovCloud)
 run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }}
 
+permissions:
+  contents: read
+
 jobs:
   download:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/publish_v3_layer.yml b/.github/workflows/publish_v3_layer.yml
@@ -303,8 +303,8 @@ jobs:
     needs: [update_v3_layer_arn_docs, prepare_docs_alias]
     permissions:
       # lower privilege propagated from parent workflow (release.yml)
-      contents: write
-      pages: write
+      #contents: write
+      #pages: write
       pull-requests: none
       id-token: write
     secrets: inherit

diff --git a/.github/workflows/reusable_deploy_v3_layer_stack.yml b/.github/workflows/reusable_deploy_v3_layer_stack.yml
@@ -154,11 +154,12 @@ jobs:
 
       - name: Install poetry
         run: pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0
-      - name: aws credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ matrix.region }}
           role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
+          mask-aws-account-id: true
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:

diff --git a/.github/workflows/reusable_deploy_v3_sar.yml b/.github/workflows/reusable_deploy_v3_sar.yml
@@ -86,11 +86,12 @@ jobs:
           artifact_name: ${{ inputs.source_code_artifact_name }}
 
 
-      - name: AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ env.AWS_REGION }}
           role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
+          mask-aws-account-id: true
 
       # NOTE
       # We connect to Layers account to log our intent to publish a SAR Layer

diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml
@@ -40,9 +40,9 @@ jobs:
     runs-on: ubuntu-latest
     environment: "Docs"
     permissions:
-      contents: write  # push to gh-pages
+      contents: read  # push to gh-pages
       id-token: write  # trade JWT token for AWS credentials in AWS Docs account
-      pages: write     # uncomment if mike fails as we migrated to S3 hosting
+      #pages: write     # uncomment if mike fails as we migrated to S3 hosting
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
@@ -79,10 +79,11 @@ jobs:
           poetry run mike set-default --push latest
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: us-east-1
           role-to-assume: ${{ secrets.AWS_DOCS_ROLE_ARN }}
+          mask-aws-account-id: true
       - name: Copy API Docs
         run: |
           cp -r api site/

diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml
@@ -70,11 +70,12 @@ jobs:
           npm ci
           npx cdk --version
       - name: Install dependencies
-        run: dev-quality-code
+        run: make dev-quality-code
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           role-to-assume: ${{ secrets.AWS_TEST_ROLE_ARN }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
+          mask-aws-account-id: true
       - name: Test
         run: make e2e-test
diff --git a/.github/workflows/update_ssm.yml b/.github/workflows/update_ssm.yml
@@ -1,3 +1,6 @@
+name: SSM Parameters
+run-name: SSM Parameters - Python
+
 # SSM Parameters update
 #
 # PROCESS
@@ -38,9 +41,6 @@ on:
         type: string
         required: true
 
-name: SSM Parameters
-run-name: SSM Parameters - Python
-
 permissions:
   contents: read
 
@@ -59,14 +59,14 @@ jobs:
           ]
 
     permissions:
-      contents: write
+      contents: read
       id-token: write
     steps:
       - id: transform
         run: |
           echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
       - id: creds
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ matrix.region }}
           role-to-assume: ${{ secrets[format('{0}', steps.transform.outputs.CONVERTED_REGION)] }}