feat: replace aws creds with oidc

.github/workflows/build-and-push-image-to-ecr.yaml

@@ -26,13 +26,15 @@ on:
         default: ""
         type: string
     secrets:
-      AWS_ACCESS_KEY_ID:
-        required: true
-      AWS_SECRET_ACCESS_KEY:
+      AWS_ROLE_TO_ASSUME:
         required: true
+        description: AWS OIDC role for GitHub to assume
 
 jobs:
   build-and-push-image-to-ecr:
+    permissions:
+      id-token: write
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout current git repository
@@ -46,9 +48,8 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: eu-central-1
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
       - name: Create ECR repository if it doesn't exist
         run: |
           aws ecr describe-repositories --repository-names ${{ inputs.APPLICATION_NAME }} || \

.github/workflows/build-image.yaml

@@ -64,6 +64,9 @@ env:
 jobs:
   build-ecr-single:
     if: inputs.imageTargets == ''
+    permissions:
+      id-token: write
+      contents: read
     environment: ${{ github.event.deployment.payload.env }}
     runs-on: ${{ inputs.runner }}
     steps:
@@ -87,9 +90,8 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: eu-central-1
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
       - name: Create ECR repository if it doesn't exist
         run: |
           aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }} || \
@@ -135,6 +137,9 @@ jobs:
 
   build-ecr-matrix:
     if: inputs.imageTargets != ''
+    permissions:
+      id-token: write
+      contents: read
     environment: ${{ github.event.deployment.payload.env }}
     runs-on: ${{ inputs.runner }}
     strategy:
@@ -161,9 +166,8 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: eu-central-1
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
       - name: Create ${{ matrix.containerfile_targets }} ECR repository if it doesn't exist
         run: |
           aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} || \

.github/workflows/kubernetes.yaml

@@ -120,15 +120,9 @@ on:
       sentryAuthToken:
         required: false
         description: Authentication token for Sentry
-      AWS_ACCESS_KEY_ID:
+      AWS_ROLE_TO_ASSUME:
         required: true
-        description: Access key ID for AWS credentials
-      AWS_SECRET_ACCESS_KEY:
-        required: true
-        description: Secet for AWS access key ID
-      AWS_ACCOUNT_ID:
-        required: true
-        description: AWS Account ID
+        description: AWS OIDC role for GitHub to assume
 
 jobs:
   initialize: