From 07a91fe0cb50e5db1b31c0cc7eae5d752a81d622 Mon Sep 17 00:00:00 2001 From: Aaron Chung Date: Wed, 11 Dec 2024 18:00:40 -0800 Subject: [PATCH 1/3] test - add github openid connect to run-integration-tests-default --- .github/workflows/run-integration-tests-default.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/run-integration-tests-default.yml b/.github/workflows/run-integration-tests-default.yml index 46804f9b2..3ca5b1b69 100644 --- a/.github/workflows/run-integration-tests-default.yml +++ b/.github/workflows/run-integration-tests-default.yml @@ -5,7 +5,9 @@ on: push: branches: - main - +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout jobs: all-integration-tests-default: name: 'Run Aurora integration tests with default engine version' @@ -27,8 +29,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | From 39bdc23927f0ab8b48e2bbede4815a6a1445bab5 Mon Sep 17 00:00:00 2001 From: Aaron Chung Date: Thu, 23 Jan 2025 01:58:02 -0800 Subject: [PATCH 2/3] test - add github openid connect to all github workflows --- .github/workflows/mysql_advanced_performance.yml | 7 +++++-- .github/workflows/mysql_performance.yml | 7 +++++-- .github/workflows/pg_advanced_performance.yml | 7 +++++-- .github/workflows/pg_performance.yml | 7 +++++-- .github/workflows/run-autoscaling-tests.yml | 7 +++++-- .github/workflows/run-integration-tests-codebuild.yml | 7 +++++-- .github/workflows/run-integration-tests-default.yml | 2 ++ .github/workflows/run-integration-tests-latest.yml | 7 +++++-- 8 files changed, 37 insertions(+), 14 deletions(-) diff --git a/.github/workflows/mysql_advanced_performance.yml b/.github/workflows/mysql_advanced_performance.yml index 7b6702921..3be9441b3 100644 --- a/.github/workflows/mysql_advanced_performance.yml +++ b/.github/workflows/mysql_advanced_performance.yml @@ -3,6 +3,10 @@ name: Run Aurora Mysql Advanced Performance Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: aurora-mysql-performance-tests: concurrency: AdvancedPerformanceTests-Aurora @@ -21,8 +25,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | diff --git a/.github/workflows/mysql_performance.yml b/.github/workflows/mysql_performance.yml index 7ff518fba..310f4ba0a 100644 --- a/.github/workflows/mysql_performance.yml +++ b/.github/workflows/mysql_performance.yml @@ -3,6 +3,10 @@ name: Run Aurora Mysql Performance Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: aurora-mysql-performance-tests: concurrency: PerformanceTests-Aurora @@ -21,8 +25,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | diff --git a/.github/workflows/pg_advanced_performance.yml b/.github/workflows/pg_advanced_performance.yml index fcc2786a5..5d9f1dea9 100644 --- a/.github/workflows/pg_advanced_performance.yml +++ b/.github/workflows/pg_advanced_performance.yml @@ -3,6 +3,10 @@ name: Run Aurora Postgres Advanced Performance Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: aurora-postgres-performance-tests: concurrency: AdvancedPerformanceTests-Aurora @@ -21,8 +25,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | diff --git a/.github/workflows/pg_performance.yml b/.github/workflows/pg_performance.yml index 346dc78dd..fe1a5afe3 100644 --- a/.github/workflows/pg_performance.yml +++ b/.github/workflows/pg_performance.yml @@ -3,6 +3,10 @@ name: Run Aurora Postgres Performance Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: aurora-postgres-performance-tests: concurrency: PerformanceTests-Aurora @@ -21,8 +25,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | diff --git a/.github/workflows/run-autoscaling-tests.yml b/.github/workflows/run-autoscaling-tests.yml index d5dea78c8..22ef72054 100644 --- a/.github/workflows/run-autoscaling-tests.yml +++ b/.github/workflows/run-autoscaling-tests.yml @@ -3,6 +3,10 @@ name: Run Autoscaling Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -24,8 +28,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | diff --git a/.github/workflows/run-integration-tests-codebuild.yml b/.github/workflows/run-integration-tests-codebuild.yml index b92ffc949..9b2ef00f2 100644 --- a/.github/workflows/run-integration-tests-codebuild.yml +++ b/.github/workflows/run-integration-tests-codebuild.yml @@ -3,6 +3,10 @@ name: Run Aurora Integration Tests CodeBuild on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -28,8 +32,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | diff --git a/.github/workflows/run-integration-tests-default.yml b/.github/workflows/run-integration-tests-default.yml index 3ca5b1b69..8eb172fd9 100644 --- a/.github/workflows/run-integration-tests-default.yml +++ b/.github/workflows/run-integration-tests-default.yml @@ -5,9 +5,11 @@ on: push: branches: - main + permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout + jobs: all-integration-tests-default: name: 'Run Aurora integration tests with default engine version' diff --git a/.github/workflows/run-integration-tests-latest.yml b/.github/workflows/run-integration-tests-latest.yml index dea745e59..06295b8ee 100644 --- a/.github/workflows/run-integration-tests-latest.yml +++ b/.github/workflows/run-integration-tests-latest.yml @@ -6,6 +6,10 @@ on: branches: - main +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: all-integration-tests-latest: name: Run Aurora integration tests with latest engine version @@ -27,8 +31,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | From 0cb1c8f3e7e96798b672fdb5f602e68118001bf0 Mon Sep 17 00:00:00 2001 From: Aaron Chung Date: Thu, 23 Jan 2025 12:17:01 -0800 Subject: [PATCH 3/3] test - try add role-session-name, and output-credentials flag, and remove temp creds step --- .../workflows/mysql_advanced_performance.yml | 22 +++++-------------- .github/workflows/mysql_performance.yml | 22 +++++-------------- .github/workflows/pg_advanced_performance.yml | 22 +++++-------------- .github/workflows/pg_performance.yml | 22 +++++-------------- .github/workflows/run-autoscaling-tests.yml | 22 +++++-------------- .../run-integration-tests-codebuild.yml | 22 +++++-------------- .../run-integration-tests-default.yml | 22 +++++-------------- .../run-integration-tests-latest.yml | 22 +++++-------------- 8 files changed, 48 insertions(+), 128 deletions(-) diff --git a/.github/workflows/mysql_advanced_performance.yml b/.github/workflows/mysql_advanced_performance.yml index 3be9441b3..666fba5e3 100644 --- a/.github/workflows/mysql_advanced_performance.yml +++ b/.github/workflows/mysql_advanced_performance.yml @@ -23,32 +23,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_adv_perf_test_mysql aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: 'Run performance tests (OpenJDK)' run: | ./gradlew --no-parallel --no-daemon test-aurora-mysql-advanced-performance env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "default" PG_VERSION: "default" - name: 'Archive Performance Results' diff --git a/.github/workflows/mysql_performance.yml b/.github/workflows/mysql_performance.yml index 310f4ba0a..52f2f7b5c 100644 --- a/.github/workflows/mysql_performance.yml +++ b/.github/workflows/mysql_performance.yml @@ -23,32 +23,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_perf_test_mysql aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: 'Run performance tests (OpenJDK)' run: | ./gradlew --no-parallel --no-daemon test-aurora-mysql-performance env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "default" PG_VERSION: "default" - name: 'Archive Performance Results' diff --git a/.github/workflows/pg_advanced_performance.yml b/.github/workflows/pg_advanced_performance.yml index 5d9f1dea9..3fd2ec3c1 100644 --- a/.github/workflows/pg_advanced_performance.yml +++ b/.github/workflows/pg_advanced_performance.yml @@ -23,32 +23,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_adv_perf_test_pgsql aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: 'Run performance tests (OpenJDK)' run: | ./gradlew --no-parallel --no-daemon test-aurora-pg-advanced-performance env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "default" PG_VERSION: "default" - name: 'Archive Performance Results' diff --git a/.github/workflows/pg_performance.yml b/.github/workflows/pg_performance.yml index fe1a5afe3..622fbe6f9 100644 --- a/.github/workflows/pg_performance.yml +++ b/.github/workflows/pg_performance.yml @@ -23,32 +23,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_perf_test_pgsql aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: 'Run performance tests (OpenJDK)' run: | ./gradlew --no-parallel --no-daemon test-aurora-pg-performance env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "default" PG_VERSION: "default" - name: 'Archive Performance Results' diff --git a/.github/workflows/run-autoscaling-tests.yml b/.github/workflows/run-autoscaling-tests.yml index 22ef72054..981b6bc6e 100644 --- a/.github/workflows/run-autoscaling-tests.yml +++ b/.github/workflows/run-autoscaling-tests.yml @@ -26,32 +26,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_autoscale_test aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: Run integration tests run: | ./gradlew --no-parallel --no-daemon test-autoscaling-only env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} AURORA_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "default" PG_VERSION: "default" - name: Mask data diff --git a/.github/workflows/run-integration-tests-codebuild.yml b/.github/workflows/run-integration-tests-codebuild.yml index 9b2ef00f2..d940a9366 100644 --- a/.github/workflows/run-integration-tests-codebuild.yml +++ b/.github/workflows/run-integration-tests-codebuild.yml @@ -30,32 +30,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_integration_test_codebuild aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: Run integration tests run: | ./gradlew --no-parallel --no-daemon test-all-${{ matrix.environment }}-aurora env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} RDS_ENDPOINT: ${{ secrets.RDS_ENDPOINT }} MYSQL_VERSION: "latest" PG_VERSION: "latest" diff --git a/.github/workflows/run-integration-tests-default.yml b/.github/workflows/run-integration-tests-default.yml index 8eb172fd9..690cd6754 100644 --- a/.github/workflows/run-integration-tests-default.yml +++ b/.github/workflows/run-integration-tests-default.yml @@ -29,32 +29,22 @@ jobs: distribution: 'corretto' java-version: 8 - name: 'Configure AWS credentials' + id: creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_integration_test_default aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: Run integration tests run: | ./gradlew --no-parallel --no-daemon test-all-${{ matrix.dbEngine }} env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "default" PG_VERSION: "default" - name: Mask data diff --git a/.github/workflows/run-integration-tests-latest.yml b/.github/workflows/run-integration-tests-latest.yml index 06295b8ee..a7319cc2c 100644 --- a/.github/workflows/run-integration-tests-latest.yml +++ b/.github/workflows/run-integration-tests-latest.yml @@ -30,31 +30,21 @@ jobs: java-version: 8 - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 + id: creds with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} + role-session-name: run_integration_test_latest aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: 'Set up temp AWS credentials' - run: | - creds=($(aws sts get-session-token \ - --duration-seconds 21600 \ - --query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \ - --output text \ - | xargs)); - echo "::add-mask::${creds[0]}" - echo "::add-mask::${creds[1]}" - echo "::add-mask::${creds[2]}" - echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV - echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV - echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV + output-credentials: true - name: Run integration tests run: | ./gradlew --no-parallel --no-daemon test-all-${{ matrix.dbEngine }} env: AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }} RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }} + AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }} MYSQL_VERSION: "latest" PG_VERSION: "latest" - name: Mask data