-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdevolv_oidc_onboard.py
More file actions
178 lines (160 loc) · 6.19 KB
/
devolv_oidc_onboard.py
File metadata and controls
178 lines (160 loc) · 6.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
#!/usr/bin/env python3
import json
import time
import argparse
import boto3
from botocore.exceptions import ClientError
OIDC_URL = "https://token.actions.githubusercontent.com"
OIDC_AUDIENCE = "sts.amazonaws.com"
THUMBPRINT = "6938fd4d98bab03faadb97b34396831e3780aea1"
def wait_for_role(iam_client, role_name, max_attempts=10, delay=2):
waiter = iam_client.get_waiter('role_exists')
try:
waiter.wait(RoleName=role_name, WaiterConfig={'Delay': delay, 'MaxAttempts': max_attempts})
return True
except ClientError as e:
print(f"Error waiting for role: {e}")
return False
def wait_for_policy(iam_client, policy_arn, max_attempts=10, delay=2):
for _ in range(max_attempts):
try:
iam_client.get_policy(PolicyArn=policy_arn)
return True
except ClientError as e:
if e.response['Error']['Code'] == 'NoSuchEntity':
time.sleep(delay)
continue
raise
return False
def ensure_github_oidc_provider_exists(iam_client, account_id, org_name):
provider_arn = f"arn:aws:iam::{account_id}:oidc-provider/token.actions.githubusercontent.com"
try:
existing_providers = iam_client.list_open_id_connect_providers()['OpenIDConnectProviderList']
if any(p['Arn'] == provider_arn for p in existing_providers):
print(f"✅ OIDC provider for GitHub already exists (used for {org_name})")
return
print(f"🔧 Creating GitHub OIDC provider for {org_name}...")
iam_client.create_open_id_connect_provider(
Url=OIDC_URL,
ClientIDList=[OIDC_AUDIENCE],
ThumbprintList=[THUMBPRINT]
)
print(f"✅ GitHub OIDC provider created (used for {org_name})")
except ClientError as e:
print(f"❌ Failed to ensure GitHub OIDC provider: {e}")
raise
def main():
parser = argparse.ArgumentParser(description="Set up GitHub OIDC role + policy")
parser.add_argument("--github-org", required=True, help="GitHub organization name")
args = parser.parse_args()
org_name = args.github_org
role_name = f"{org_name}-DevolvRole"
policy_name = f"{org_name}-DevolvPolicy"
iam_client = boto3.client('iam')
sts_client = boto3.client('sts')
try:
account_id = sts_client.get_caller_identity()['Account']
except ClientError as e:
print(f"❌ Error getting account ID: {e}")
return
ensure_github_oidc_provider_exists(iam_client, account_id, org_name)
trust_policy = {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": f"arn:aws:iam::{account_id}:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": OIDC_AUDIENCE
},
"StringLike": {
"token.actions.githubusercontent.com:sub": f"repo:{org_name}/*"
}
}
}]
}
try:
iam_client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=json.dumps(trust_policy)
)
if wait_for_role(iam_client, role_name):
print(f"✅ Role created: {role_name}")
else:
print("❌ Failed to confirm role creation")
return
except ClientError as e:
if e.response['Error']['Code'] == 'EntityAlreadyExists':
print(f"ℹ️ Role {role_name} already exists")
else:
print(f"❌ Error creating role: {e}")
return
policy_document = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIAMPolicyDriftActions",
"Effect": "Allow",
"Action": [
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion"
],
"Resource": "*"
},
{
"Sid": "AllowSTSAssumeRoleForDevolvCIRole",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": f"arn:aws:iam::{account_id}:role/{role_name}"
}
]
}
try:
response = iam_client.create_policy(
PolicyName=policy_name,
PolicyDocument=json.dumps(policy_document)
)
policy_arn = response['Policy']['Arn']
if wait_for_policy(iam_client, policy_arn):
print(f"✅ Policy created: {policy_name}")
else:
print("❌ Failed to confirm policy creation")
return
except ClientError as e:
if e.response['Error']['Code'] == 'EntityAlreadyExists':
policy_arn = f"arn:aws:iam::{account_id}:policy/{policy_name}"
print(f"ℹ️ Policy {policy_name} already exists")
else:
print(f"❌ Error creating policy: {e}")
return
try:
iam_client.attach_role_policy(RoleName=role_name, PolicyArn=policy_arn)
print(f"✅ Policy attached to role: {role_name}")
except ClientError as e:
print(f"❌ Error attaching policy to role: {e}")
return
print("\n🎉 Setup complete!")
print(f"🔑 Role: arn:aws:iam::{account_id}:role/{role_name}")
print(f"🔑 Policy: arn:aws:iam::{account_id}:policy/{policy_name}")
print(f"🔑 OIDC provider: token.actions.githubusercontent.com (used for {org_name})")
print("\n👉 Add this to your GitHub Actions workflow:\n")
print("permissions:")
print(" contents: write")
print(" issues: write")
print(" pull-requests: write")
print(" id-token: write\n")
print("- uses: aws-actions/configure-aws-credentials@v4")
print(" with:")
print(f" role-to-assume: arn:aws:iam::{account_id}:role/{role_name}")
print(" aws-region: <your-region> # Replace with your AWS region (e.g. us-east-1)")
if __name__ == "__main__":
main()