OIDC deploy (#450)

* Use aws-configure-credentials for OIDC deploy

Signed-off-by: Crola1702 <[email protected]>

* Fix aws-action syntax

Signed-off-by: Crola1702 <[email protected]>

* Test configure credentials

Signed-off-by: Crola1702 <[email protected]>

* Test describe permissions

Signed-off-by: Crola1702 <[email protected]>

* List permissions in a different way

Signed-off-by: Crola1702 <[email protected]>

* List permissions in a different way

Signed-off-by: Crola1702 <[email protected]>

* List permissions in a different way

Signed-off-by: Crola1702 <[email protected]>

* Test identity from dockerfiles

Signed-off-by: Crola1702 <[email protected]>

* Check if credentials defined

Signed-off-by: Crola1702 <[email protected]>

* Fix syntax

Signed-off-by: Crola1702 <[email protected]>

* Check if not defined

Signed-off-by: Crola1702 <[email protected]>

* Add session token to aws configuration

Signed-off-by: Crola1702 <[email protected]>

* Add session token to all distributions

Signed-off-by: Crola1702 <[email protected]>

---------

Signed-off-by: Crola1702 <[email protected]>

.github/workflows/nightly-upload.yml

@@ -10,26 +10,29 @@ jobs:
   upload:
     name: Upload docs to production
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
     steps:
     - name: Checkout
       uses: actions/checkout@v2
-    - name: Setup aws cli
-      run: |
-        sudo apt-get update &&
-        sudo apt-get install curl &&
-        curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" &&
-        unzip awscliv2.zip &&
-        sudo ./aws/install --update &&
-        aws --version
+    - name: Configure AWS Credentials
+      id: creds
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: us-east-1
+        role-to-assume: arn:aws:iam::200670743174:role/github-oidc-deployment-gz-web-app
+        # Need to run ./build_docs.sh
+        output-credentials: true
     - name: Run nightly upload
-      run: cd tools && ./build_docs.sh all
+      run: |
+        cd tools && ./build_docs.sh all
       shell: bash
       env:
         GZ_VERSION_PASSWORD: ${{ secrets.GZ_VERSION_PASSWORD }}
-        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
+        AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
+        AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
     - name: Invalidate Cloudfront distribution
       run: |
-        aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }} &&
-        aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} &&
         aws cloudfront create-invalidation --distribution-id ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }} --paths '/*' --region us-east-1

tools/Dockerfile.citadel

@@ -13,9 +13,10 @@ ARG GZ_VERSION_PASSWORD
 ARG GZ_VERSION_DATE
 ARG AWS_ACCESS_KEY_ID
 ARG AWS_SECRET_ACCESS_KEY
+ARG AWS_SESSION_TOKEN 
 
 COPY scripts/install_common_deps.sh scripts/install_common_deps.sh
-RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY
+RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY $AWS_SESSION_TOKEN
 
 COPY scripts/build_gz.sh scripts/build_gz.sh
 

tools/Dockerfile.fortress

@@ -13,9 +13,10 @@ ARG GZ_VERSION_PASSWORD
 ARG GZ_VERSION_DATE
 ARG AWS_ACCESS_KEY_ID
 ARG AWS_SECRET_ACCESS_KEY
+ARG AWS_SESSION_TOKEN 
 
 COPY scripts/install_common_deps.sh scripts/install_common_deps.sh
-RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY
+RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY $AWS_SESSION_TOKEN
 
 COPY scripts/build_gz.sh scripts/build_gz.sh
 

tools/Dockerfile.garden

@@ -13,9 +13,10 @@ ARG GZ_VERSION_PASSWORD
 ARG GZ_VERSION_DATE
 ARG AWS_ACCESS_KEY_ID
 ARG AWS_SECRET_ACCESS_KEY
+ARG AWS_SESSION_TOKEN 
 
 COPY scripts/install_common_deps.sh scripts/install_common_deps.sh
-RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY
+RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY $AWS_SESSION_TOKEN
 
 COPY scripts/build_gz.sh scripts/build_gz.sh
 

tools/Dockerfile.harmonic

@@ -13,9 +13,10 @@ ARG GZ_VERSION_PASSWORD
 ARG GZ_VERSION_DATE
 ARG AWS_ACCESS_KEY_ID
 ARG AWS_SECRET_ACCESS_KEY
+ARG AWS_SESSION_TOKEN 
 
 COPY scripts/install_common_deps.sh scripts/install_common_deps.sh
-RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY
+RUN scripts/install_common_deps.sh $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY $AWS_SESSION_TOKEN
 RUN echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/pkgs-osrf-archive-keyring.gpg] http://packages.osrfoundation.org/gazebo/ubuntu-prerelease $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/gazebo-prerelease.list > /dev/null \
   && apt-get update
 

tools/build_docs.sh

@@ -29,7 +29,7 @@
 
 if [[ $1 == 'all' || $1 == 'citadel' || $1 == 'Citadel' ]]; then
   echo -e "\e[46m\e[30mUploading documentation for Citadel\e[0m\e[39m"
-  docker build -t gz-docs-builder -f Dockerfile.citadel --build-arg GZ_VERSION_PASSWORD --build-arg GZ_VERSION_DATE=`date -Iseconds` --no-cache --build-arg AWS_ACCESS_KEY_ID --build-arg AWS_SECRET_ACCESS_KEY .
+  docker build -t gz-docs-builder -f Dockerfile.citadel --build-arg GZ_VERSION_PASSWORD --build-arg GZ_VERSION_DATE=`date -Iseconds` --no-cache --build-arg AWS_ACCESS_KEY_ID --build-arg AWS_SECRET_ACCESS_KEY --build-arg AWS_SESSION_TOKEN .
   docker image rm -f gz-docs-builder
   docker image prune -f
 fi

tools/scripts/install_common_deps.sh

@@ -34,4 +34,5 @@ sudo ./aws/install
 # Configure AWS so that API docs can be uploaded to s3.
 aws configure set aws_access_key_id $1
 aws configure set aws_secret_access_key $2
+aws configure set aws_session_token $3
 aws configure set default.region us-east-1