From b26bbd33cd64291633f254637bb7c815629f2e45 Mon Sep 17 00:00:00 2001
From: Kirill Plis <kirill.plis@parcellab.com>
Date: Mon, 8 Sep 2025 12:34:28 +0200
Subject: [PATCH 1/2] start over

---
 .github/workflows/build-and-push-image-to-ecr.yaml | 11 ++++-------
 .github/workflows/build-image.yaml                 | 12 ++++++++----
 .github/workflows/kubernetes.yaml                  | 10 ++--------
 3 files changed, 14 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/build-and-push-image-to-ecr.yaml b/.github/workflows/build-and-push-image-to-ecr.yaml
index d3c72cb..20cd223 100644
--- a/.github/workflows/build-and-push-image-to-ecr.yaml
+++ b/.github/workflows/build-and-push-image-to-ecr.yaml
@@ -25,14 +25,12 @@ on:
         description: If provided, downloads a previously uploaded artifact (has to be in the same workflow). Both artifactPath and artifactName have to be passed.
         default: ""
         type: string
-    secrets:
-      AWS_ACCESS_KEY_ID:
-        required: true
-      AWS_SECRET_ACCESS_KEY:
-        required: true
 
 jobs:
   build-and-push-image-to-ecr:
+    permissions:
+      id-token: write
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout current git repository
@@ -46,9 +44,8 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: eu-central-1
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
       - name: Create ECR repository if it doesn't exist
         run: |
           aws ecr describe-repositories --repository-names ${{ inputs.APPLICATION_NAME }} || \
diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
index f812d05..7384bce 100644
--- a/.github/workflows/build-image.yaml
+++ b/.github/workflows/build-image.yaml
@@ -64,6 +64,9 @@ env:
 jobs:
   build-ecr-single:
     if: inputs.imageTargets == ''
+    permissions:
+      id-token: write
+      contents: read
     environment: ${{ github.event.deployment.payload.env }}
     runs-on: ${{ inputs.runner }}
     steps:
@@ -87,9 +90,8 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: eu-central-1
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
       - name: Create ECR repository if it doesn't exist
         run: |
           aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }} || \
@@ -135,6 +137,9 @@ jobs:
 
   build-ecr-matrix:
     if: inputs.imageTargets != ''
+    permissions:
+      id-token: write
+      contents: read
     environment: ${{ github.event.deployment.payload.env }}
     runs-on: ${{ inputs.runner }}
     strategy:
@@ -161,9 +166,8 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: eu-central-1
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
       - name: Create ${{ matrix.containerfile_targets }} ECR repository if it doesn't exist
         run: |
           aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} || \
diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml
index 255e50e..0ea6918 100644
--- a/.github/workflows/kubernetes.yaml
+++ b/.github/workflows/kubernetes.yaml
@@ -120,15 +120,9 @@ on:
       sentryAuthToken:
         required: false
         description: Authentication token for Sentry
-      AWS_ACCESS_KEY_ID:
+      AWS_ROLE_TO_ASSUME:
         required: true
-        description: Access key ID for AWS credentials
-      AWS_SECRET_ACCESS_KEY:
-        required: true
-        description: Secet for AWS access key ID
-      AWS_ACCOUNT_ID:
-        required: true
-        description: AWS Account ID
+        description: AWS OIDC role for GitHub to assume
 
 jobs:
   initialize:

From 481978da2710f78683a39a30f043df8acd549277 Mon Sep 17 00:00:00 2001
From: Kirill Plis <kirill.plis@parcellab.com>
Date: Mon, 8 Sep 2025 12:36:12 +0200
Subject: [PATCH 2/2] add role

---
 .github/workflows/build-and-push-image-to-ecr.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/build-and-push-image-to-ecr.yaml b/.github/workflows/build-and-push-image-to-ecr.yaml
index 20cd223..5704a32 100644
--- a/.github/workflows/build-and-push-image-to-ecr.yaml
+++ b/.github/workflows/build-and-push-image-to-ecr.yaml
@@ -25,6 +25,10 @@ on:
         description: If provided, downloads a previously uploaded artifact (has to be in the same workflow). Both artifactPath and artifactName have to be passed.
         default: ""
         type: string
+    secrets:
+      AWS_ROLE_TO_ASSUME:
+        required: true
+        description: AWS OIDC role for GitHub to assume
 
 jobs:
   build-and-push-image-to-ecr: