From adf4106d8afc4fa8ab9952907c96be8fd3a22965 Mon Sep 17 00:00:00 2001
From: Izaim <izaim@mit.edu>
Date: Sat, 30 Mar 2024 23:37:17 +0100
Subject: [PATCH] use aws secrets manager for a secure retrieval

---
 .github/workflows/test_coverage_with_tokens.yml | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/test_coverage_with_tokens.yml b/.github/workflows/test_coverage_with_tokens.yml
index 3dadb00c..66cd62cc 100644
--- a/.github/workflows/test_coverage_with_tokens.yml
+++ b/.github/workflows/test_coverage_with_tokens.yml
@@ -42,11 +42,6 @@ jobs:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
-          
-        run: |
-          OUTPUT=$(aws cognito-idp "${{ secrets.COGNITO_INIT }}" --user-pool-id "${{ secrets.COGNITO_USER_POOL_ID }}" --client-id "${{ secrets.COGNITO_CLIENT_ID }}" --auth-flow "${{ secrets.COGNITO_AUTH_FLOW }}" --auth-parameters USERNAME="${{ secrets.COGNITO_USERNAME }}",PASSWORD=${{ secrets.COGNITO_PASSWORD }})
-          echo ACCESS_TOKEN=$(echo "$OUTPUT" | jq -r '.AuthenticationResult.AccessToken' | sed 's/^"\(.*\)"$/\1/') >> $GITHUB_OUTPUT
-          echo ID_TOKEN=$(echo "$OUTPUT" | jq -r '.AuthenticationResult.IdToken' | sed 's/^"\(.*\)"$/\1/') >> $GITHUB_OUTPUT
 
       - name: Setup Python
         uses: actions/setup-python@v4
@@ -59,13 +54,16 @@ jobs:
 
       - name: Install requirements_dev.txt
         run: pip install -r requirements_dev.txt
+        
+      - name: Retrieve Cognito Tokens from AWS Secrets Manager
+        run: |
+          echo "CRIPT_TOKEN=$(aws secretsmanager get-secret-value --secret-id Pipelines_CognitoAccessToken --query SecretString --output text)" >> $GITHUB_ENV
+          echo "CRIPT_STORAGE_TOKEN=$(aws secretsmanager get-secret-value --secret-id Pipelines_CognitoIdToken --query SecretString --output text)" >> $GITHUB_ENV
 
       - name: Test Coverage
         run: pytest tests/api/test_api.py
         env:
-          ACCESS_TOKEN: ${{ steps.cognito-token.outputs.ACCESS_TOKEN }}
-          ID_TOKEN: ${{ steps.cognito-token.outputs.ID_TOKEN }}
           CRIPT_HOST: https://lb-stage.mycriptapp.org/
-          CRIPT_TOKEN: $ACCESS_TOKEN
-          CRIPT_STORAGE_TOKEN: $ID_TOKEN
+          CRIPT_TOKEN: ${{ env.CRIPT_TOKEN }}
+          CRIPT_STORAGE_TOKEN: ${{ env.CRIPT_STORAGE_TOKEN }}
           CRIPT_TESTS: True