Update workflows to use IAM role auth (#49)

* add IAM role authentication

---------

Co-authored-by: Michael Long <mlongii@amazon.com>

Author: bluesentinelsec

.github/workflows/build_scan_container.yml

@@ -44,7 +44,7 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          # TODO: use an IAM role
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan built image with Inspector
         uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.0.0

.github/workflows/example_display_findings.yml

@@ -23,6 +23,7 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
 
       # modify this block to scan your intended artifact

.github/workflows/run_unit_tests.yml

@@ -23,7 +23,7 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          # TODO: use an IAM role
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Run unit tests
         run: make test

.github/workflows/test_archive.yml

@@ -28,7 +28,7 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          # TODO: use an IAM role
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Test archive scan
         id: inspector

.github/workflows/test_binary.yml

@@ -28,7 +28,7 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          # TODO: use an IAM role
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Test binary scan
         id: inspector

.github/workflows/test_containers.yml

@@ -28,7 +28,7 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          # TODO: use an IAM role
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Test container scan
         id: inspector

.github/workflows/test_installation.yml

@@ -22,9 +22,10 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-region: 'us-east-1'
+          aws-region: ${{ secrets.AWS_REGION }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Test Amazon Inspector GitHub Actions plugin
         uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main

.github/workflows/test_repository.yml

@@ -27,7 +27,7 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          # TODO: use an IAM role
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Test repository scan
         id: inspector

.github/workflows/test_vuln_thresholds.yml

@@ -27,6 +27,7 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan artifact with Inspector
         uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main