Remove role to use OIDC

Signed-off-by: constanca <[email protected]>
elastic · Sep 25, 2024 · d2696c0 · d2696c0
1 parent ea7d3fc
commit d2696c0
Showing 1 changed file with 17 additions and 8 deletions.
diff --git a/.github/workflows/releases-production.yml b/.github/workflows/releases-production.yml
@@ -1,4 +1,9 @@
 ---
+# IMPORTANT:
+# If you change the name of this file, you will have to update
+# https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/elastic-serverless-forwarder/01-aws-oidc-github.tf
+# to include the current one!
+
 # Workflow to push zip with dependencies to S3 bucket every time the ESF version is updated
 # (we need this for ESF terraform), and to publish the new SAR version
 name: releases-production
@@ -13,6 +18,10 @@ permissions:
   id-token: write   # This is required for requesting the JWT
   contents: read    # This is required for actions/checkout
 
+env:
+  AWS_REGION: "eu-central-1"
+  AWS_ACCOUNT_ID: "267093732750" # account 'elastic-observability-prod'
+
 jobs:
 
   get-esf-version:
@@ -41,8 +50,6 @@ jobs:
 
     env:
       BUCKET_NAME: "esf-dependencies"
-      AWS_REGION: "eu-central-1"
-      ROLE: "arn:aws:iam::267093732750:role/esf-dependencies-role"
 
     steps:
       # See https://docs.aws.amazon.com/lambda/latest/dg/python-package.html#python-package-create-dependencies
@@ -72,26 +79,28 @@ jobs:
           zip -r ./lambda-v${{ needs.get-esf-version.outputs.version }}.zip shippers
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: elastic/oblt-actions/aws/auth@v1
+        with:
+          aws-account-id: "${{ env.AWS_ACCOUNT_ID }}"
+          aws-region: "${{ env.AWS_REGION }}"
+
+      - uses: aws-actions/setup-sam@2360ef6d90015369947b45b496193ab9976a9b04 # v2
         with:
-          role-to-assume: ${{ env.ROLE }}
-          aws-region: ${{ env.AWS_REGION }}
+          use-installer: true
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Copy file to s3
         run: |
           aws s3 cp ./lambda-v${{ needs.get-esf-version.outputs.version }}.zip s3://${{ env.BUCKET_NAME }}/
 
 
-
   release-sar:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     needs: get-esf-version
 
     env:
       BUCKET_NAME: "elastic-serverless-forwarder"
-      AWS_REGION: "eu-central-1"
-      AWS_ACCOUNT_ID: "267093732750" # elastic-observability-prod
 
     steps:
       - uses: actions/checkout@v4