diff --git a/.github/workflows/mysql_advanced_performance.yml b/.github/workflows/mysql_advanced_performance.yml index 7b6702921..666fba5e3 100644 --- a/.github/workflows/mysql_advanced_performance.yml +++ b/.github/workflows/mysql_advanced_performance.yml @@ -3,6 +3,10 @@ name: Run Aurora Mysql Advanced Performance Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: aurora-mysql-performance-tests: concurrency: AdvancedPerformanceTests-Aurora @@ -19,33 +23,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_adv_perf_test_mysql aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: 'Run performance tests (OpenJDK)' run: | ./gradlew --no-parallel --no-daemon test-aurora-mysql-advanced-performance env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "default" PG_VERSION: "default" - name: 'Archive Performance Results' diff --git a/.github/workflows/mysql_performance.yml b/.github/workflows/mysql_performance.yml index 7ff518fba..52f2f7b5c 100644 --- a/.github/workflows/mysql_performance.yml +++ b/.github/workflows/mysql_performance.yml @@ -3,6 +3,10 @@ name: Run Aurora Mysql Performance Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: aurora-mysql-performance-tests: concurrency: PerformanceTests-Aurora @@ -19,33 +23,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_perf_test_mysql aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: 'Run performance tests (OpenJDK)' run: | ./gradlew --no-parallel --no-daemon test-aurora-mysql-performance env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "default" PG_VERSION: "default" - name: 'Archive Performance Results' diff --git a/.github/workflows/pg_advanced_performance.yml b/.github/workflows/pg_advanced_performance.yml index fcc2786a5..3fd2ec3c1 100644 --- a/.github/workflows/pg_advanced_performance.yml +++ b/.github/workflows/pg_advanced_performance.yml @@ -3,6 +3,10 @@ name: Run Aurora Postgres Advanced Performance Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: aurora-postgres-performance-tests: concurrency: AdvancedPerformanceTests-Aurora @@ -19,33 +23,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_adv_perf_test_pgsql aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: 'Run performance tests (OpenJDK)' run: | ./gradlew --no-parallel --no-daemon test-aurora-pg-advanced-performance env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "default" PG_VERSION: "default" - name: 'Archive Performance Results' diff --git a/.github/workflows/pg_performance.yml b/.github/workflows/pg_performance.yml index 346dc78dd..622fbe6f9 100644 --- a/.github/workflows/pg_performance.yml +++ b/.github/workflows/pg_performance.yml @@ -3,6 +3,10 @@ name: Run Aurora Postgres Performance Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: aurora-postgres-performance-tests: concurrency: PerformanceTests-Aurora @@ -19,33 +23,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_perf_test_pgsql aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: 'Run performance tests (OpenJDK)' run: | ./gradlew --no-parallel --no-daemon test-aurora-pg-performance env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "default" PG_VERSION: "default" - name: 'Archive Performance Results' diff --git a/.github/workflows/run-autoscaling-tests.yml b/.github/workflows/run-autoscaling-tests.yml index d5dea78c8..981b6bc6e 100644 --- a/.github/workflows/run-autoscaling-tests.yml +++ b/.github/workflows/run-autoscaling-tests.yml @@ -3,6 +3,10 @@ name: Run Autoscaling Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -22,33 +26,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_autoscale_test aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: Run integration tests run: | ./gradlew --no-parallel --no-daemon test-autoscaling-only env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} AURORA_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "default" PG_VERSION: "default" - name: Mask data diff --git a/.github/workflows/run-integration-tests-codebuild.yml b/.github/workflows/run-integration-tests-codebuild.yml index b92ffc949..d940a9366 100644 --- a/.github/workflows/run-integration-tests-codebuild.yml +++ b/.github/workflows/run-integration-tests-codebuild.yml @@ -3,6 +3,10 @@ name: Run Aurora Integration Tests CodeBuild on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -26,33 +30,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_integration_test_codebuild aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: Run integration tests run: | ./gradlew --no-parallel --no-daemon test-all-${{ matrix.environment }}-aurora env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} RDS_ENDPOINT: ${{ secrets.RDS_ENDPOINT }} MYSQL_VERSION: "latest" PG_VERSION: "latest" diff --git a/.github/workflows/run-integration-tests-default.yml b/.github/workflows/run-integration-tests-default.yml index 46804f9b2..690cd6754 100644 --- a/.github/workflows/run-integration-tests-default.yml +++ b/.github/workflows/run-integration-tests-default.yml @@ -6,6 +6,10 @@ on: branches: - main +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: all-integration-tests-default: name: 'Run Aurora integration tests with default engine version' @@ -25,33 +29,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_integration_test_default aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: Run integration tests run: | ./gradlew --no-parallel --no-daemon test-all-${{ matrix.dbEngine }} env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "default" PG_VERSION: "default" - name: Mask data diff --git a/.github/workflows/run-integration-tests-latest.yml b/.github/workflows/run-integration-tests-latest.yml index dea745e59..a7319cc2c 100644 --- a/.github/workflows/run-integration-tests-latest.yml +++ b/.github/workflows/run-integration-tests-latest.yml @@ -6,6 +6,10 @@ on: branches: - main +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: all-integration-tests-latest: name: Run Aurora integration tests with latest engine version @@ -26,32 +30,21 @@ jobs: java-version: 8 - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 + id: creds with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_integration_test_latest aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: Run integration tests run: | ./gradlew --no-parallel --no-daemon test-all-${{ matrix.dbEngine }} env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "latest" PG_VERSION: "latest" - name: Mask data