Added AWS credentials via Github OIDC

nithyathokala · web-flow · commit 38190e5f6edd · 2025-07-04T15:30:55.000-04:00
* Added aws credentials via oidc

* Changed role name

* Changed to ireland arn in existingvpc-ubuntu-tue

* Added logger and removed push for few workflows

* Changed keypairname for ireland

* Updated ssl certificate arn

* Changed role duration to 2hrs

* Added aws credentials via oids for all workflows

* Added aws credentials via oidc for all workflows

* Changed role duration to 2 hrs for all workflows

* Updated python version to 3.13

* Added run for newvpc-win-wed workflow
diff --git a/.github/workflows/healthcheck-app-existingVpc-Ubuntu-Tue.yml b/.github/workflows/healthcheck-app-existingVpc-Ubuntu-Tue.yml
@@ -6,6 +6,9 @@ on:
  workflow_dispatch:
  schedule:
     - cron: '0 15 * * 2'
+permissions:
+  id-token: write
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -16,6 +19,12 @@ jobs:
       uses: actions/setup-python@v2
       with:
         python-version: '3.13'
+    - name: Configure AWS credentials via OIDC
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.oidc_role_arn }}
+        aws-region: eu-west-1
+        role-duration-seconds: 7200
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
@@ -31,8 +40,5 @@ jobs:
     - name: MPS Ref Arch AWS existing VPC Health Check Test eu-west on Ubuntu
       run: |
         cd healthcheck
-        export AWS_ACCESS_KEY_ID=${{ secrets.aws_access_key_id }}
-        export AWS_SECRET_ACCESS_KEY=${{ secrets.aws_secret_access_key }}
-        export AWS_REGION=eu-west-1
-        python test_healthcheck_existing_vpc.py ${{ secrets.KeyPairNameIreland }} ${{ secrets.lmpassword }} ${{ secrets.ipaddress }} ${{ secrets.SSLCertificateARNIreland }} "eu-west-1" "Ubuntu"
+        python test_healthcheck_existing_vpc.py ${{ secrets.OIDCKeyPairNameIreland }} ${{ secrets.lmpassword }} ${{ secrets.ipaddress }} ${{ secrets.OIDCSSLCertificateARNIreland }} "eu-west-1" "Ubuntu"
 
diff --git a/.github/workflows/healthcheck-app-existingVpc-Win-Thurs.yml b/.github/workflows/healthcheck-app-existingVpc-Win-Thurs.yml
@@ -6,6 +6,9 @@ on:
  workflow_dispatch:
  schedule:
     - cron: '0 15 * * 4'
+permissions:
+  id-token: write
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -16,6 +19,12 @@ jobs:
       uses: actions/setup-python@v4
       with:
         python-version: '3.13'
+    - name: Configure AWS credentials via OIDC
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.oidc_role_arn }}
+        aws-region: us-east-1
+        role-duration-seconds: 7200
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
@@ -31,8 +40,5 @@ jobs:
     - name: MPS  Ref Arch AWS existing VPC Health Check Test us-east on Windows
       run: |
         cd healthcheck
-        export AWS_ACCESS_KEY_ID=${{ secrets.aws_access_key_id }}
-        export AWS_SECRET_ACCESS_KEY=${{ secrets.aws_secret_access_key }}
-        export AWS_REGION=us-east-1
-        python test_healthcheck_existing_vpc.py ${{ secrets.KeyPairName }} ${{ secrets.lmpassword }} ${{ secrets.ipaddress }} ${{ secrets.SSLCertificateARN }} "us-east-1" "Windows"
+        python test_healthcheck_existing_vpc.py ${{ secrets.OIDCKeyPairNameVirginia }} ${{ secrets.lmpassword }} ${{ secrets.ipaddress }} ${{ secrets.OIDCSSLCertificateARNVirginia }} "us-east-1" "Windows"
 
diff --git a/.github/workflows/healthcheck-app-newVpc-Ubuntu-Mon.yml b/.github/workflows/healthcheck-app-newVpc-Ubuntu-Mon.yml
@@ -1,12 +1,15 @@
 # This workflow will install Python dependencies, run tests and lint with a single version of Python
 # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
-name: MATLAB Production Server Ref Arch AWS new VPC Health Check Test us-east on Ubuntu
+name: MATLAB Production Server Ref Arch AWS new VPC Health Check Test us-west on Ubuntu
 
 on:
  workflow_dispatch:
  push:
  schedule:
     - cron: '0 15 * * 1'
+permissions:
+  id-token: write
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -17,6 +20,12 @@ jobs:
       uses: actions/setup-python@v2
       with:
         python-version: '3.13'
+    - name: Configure AWS credentials via OIDC
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.oidc_role_arn }}
+        aws-region: us-west-2
+        role-duration-seconds: 7200
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
@@ -29,11 +38,8 @@ jobs:
         flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
         # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
         flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
-    - name: MPS Ref Arch AWS new VPC Health Check Test us-east on Ubuntu
+    - name: MPS Ref Arch AWS new VPC Health Check Test us-west on Ubuntu
       run: |
         cd healthcheck
-        export AWS_ACCESS_KEY_ID=${{ secrets.aws_access_key_id }}
-        export AWS_SECRET_ACCESS_KEY=${{ secrets.aws_secret_access_key }}
-        export AWS_REGION=us-east-1
-        python test_healthcheck_new_vnet.py ${{ secrets.KeyPairName }} ${{ secrets.lmpassword }} ${{ secrets.ipaddress }} ${{ secrets.SSLCertificateARN }} "us-east-1" "Ubuntu"
+        python test_healthcheck_new_vnet.py ${{ secrets.OIDCKeyPairNameOregon }} ${{ secrets.lmpassword }} ${{ secrets.ipaddress }} ${{ secrets.OIDCSSLCertificateARNOregon }} "us-west-2" "Ubuntu"
 
diff --git a/.github/workflows/healthcheck-app-newVpc-Win-Wed.yml b/.github/workflows/healthcheck-app-newVpc-Win-Wed.yml
@@ -6,6 +6,9 @@ on:
  workflow_dispatch:
  schedule:
     - cron: '0 15 * * 3'
+permissions:
+  id-token: write
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -16,6 +19,12 @@ jobs:
       uses: actions/setup-python@v2
       with:
         python-version: '3.13'
+    - name: Configure AWS credentials via OIDC
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.oidc_role_arn }}
+        aws-region: ap-northeast-1
+        role-duration-seconds: 7200
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
@@ -31,8 +40,5 @@ jobs:
     - name: MPS Ref Arch AWS new VPC Health Check Test ap-northeast on Windows
       run: |
         cd healthcheck
-        export AWS_ACCESS_KEY_ID=${{ secrets.aws_access_key_id }}
-        export AWS_SECRET_ACCESS_KEY=${{ secrets.aws_secret_access_key }}
-        export AWS_REGION=ap-northeast-1
-        python test_healthcheck_new_vnet.py ${{ secrets.KeyPairNameTokyo }} ${{ secrets.lmpassword }} ${{ secrets.ipaddress }} ${{ secrets.SSLCertificateARNTokyo }} "ap-northeast-1" "Windows"
+        python test_healthcheck_new_vnet.py ${{ secrets.OIDCKeyPairNameTokyo }} ${{ secrets.lmpassword }} ${{ secrets.ipaddress }} ${{ secrets.OIDCSSLCertificateARNTokyo }} "ap-northeast-1" "Windows"
 
diff --git a/healthcheck/refarch_testtools/deploy.py b/healthcheck/refarch_testtools/deploy.py
@@ -11,7 +11,7 @@
 from botocore.exceptions import WaiterError
 
 _logger = logging.getLogger("deploy")
-
+logging.basicConfig(level=logging.INFO)
 
 def deploy_stack(template_url, template_parameters, region, stack_base_name="refArchTest", extra_parameters={}):
     stack_name = _create_stack_name(stack_base_name)
