Главная Обзор Помощь
Вход
akillibulut
/
cloudbridge
зеркало из https://github.com/CloudVE/cloudbridge
2
0
Ответвить 0
Файлы Задачи 0 Вики
Ветка: main
Ветки Метки
cloudbridge
/
.github
/
aws
/
setup.sh

setup.sh 2.4 KB
Постоянная ссылка История Исходник

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859 
  1. #!/usr/bin/env bash
    2. 

  2. # One-time setup to enable GitHub Actions OIDC -> AWS access for this repo.
    3. 

  3. # Run with credentials that can manage IAM (admin, or a scoped IAM-admin role).
    4. 

  4. # Re-running is safe: each step is idempotent or no-ops if already present.
    5. 

  5. 

  6. set -euo pipefail
    7. 

  7. 

  8. ACCOUNT_ID="$(aws sts get-caller-identity --query Account --output text)"
    9. 

  9. ROLE_NAME="cloudbridge-github-actions"
    10. 

  10. POLICY_NAME="cloudbridge-github-actions-policy"
    11. 

  11. REGION="us-east-1"
    12. 

  12. 

  13. SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
    14. 

  14. TRUST_POLICY="${SCRIPT_DIR}/trust-policy.json"
    15. 

  15. PERMISSIONS_POLICY="${SCRIPT_DIR}/permissions-policy.json"
    16. 

  16. 

  17. # 1. Register GitHub's OIDC provider in IAM (no-op if it already exists).
    18. 

  18. if ! aws iam get-open-id-connect-provider \
    19. 

  19.       --open-id-connect-provider-arn "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" \
    20. 

  20.       >/dev/null 2>&1; then
    21. 

  21.   aws iam create-open-id-connect-provider \
    22. 

  22.     --url "https://token.actions.githubusercontent.com" \
    23. 

  23.     --client-id-list "sts.amazonaws.com" \
    24. 

  24.     --thumbprint-list "ffffffffffffffffffffffffffffffffffffffff"
    25. 

  25.   # Thumbprint above is a placeholder — GitHub OIDC uses a JWKS endpoint and
    26. 

  26.   # AWS now validates the JWKS chain server-side, so the thumbprint is no
    27. 

  27.   # longer security-critical. Set any 40-char hex value.
    28. 

  28. fi
    29. 

  29. 

  30. # 2. Render the trust policy with the real account id.
    31. 

  31. TRUST_RENDERED="$(mktemp)"
    32. 

  32. sed "s/ACCOUNT_ID/${ACCOUNT_ID}/g" "${TRUST_POLICY}" > "${TRUST_RENDERED}"
    33. 

  33. 

  34. # 3. Create or update the role.
    35. 

  35. if aws iam get-role --role-name "${ROLE_NAME}" >/dev/null 2>&1; then
    36. 

  36.   aws iam update-assume-role-policy \
    37. 

  37.     --role-name "${ROLE_NAME}" \
    38. 

  38.     --policy-document "file://${TRUST_RENDERED}"
    39. 

  39. else
    40. 

  40.   aws iam create-role \
    41. 

  41.     --role-name "${ROLE_NAME}" \
    42. 

  42.     --assume-role-policy-document "file://${TRUST_RENDERED}" \
    43. 

  43.     --description "Assumed by GitHub Actions to run cloudbridge integration tests in ${REGION}"
    44. 

  44. fi
    45. 

  45. 

  46. # 4. Attach an inline permissions policy (replaces on each run).
    47. 

  47. aws iam put-role-policy \
    48. 

  48.   --role-name "${ROLE_NAME}" \
    49. 

  49.   --policy-name "${POLICY_NAME}" \
    50. 

  50.   --policy-document "file://${PERMISSIONS_POLICY}"
    51. 

  51. 

  52. ROLE_ARN="arn:aws:iam::${ACCOUNT_ID}:role/${ROLE_NAME}"
    53. 

  53. 

  54. echo
    55. 

  55. echo "Role ready: ${ROLE_ARN}"
    56. 

  56. echo "Set this as a repo secret named AWS_OIDC_ROLE_ARN at:"
    57. 

  57. echo "  https://github.com/CloudVE/cloudbridge/settings/secrets/actions"
    58. 

  58. echo
    59. 

  59. echo "Then remove the AWS_ACCESS_KEY and AWS_SECRET_KEY repo secrets — they are no longer used."
    60.