Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Continuous Integration (CI) as GitHub Action
Running the tests for this project requires read access to s3://facia-tool-store/DEV/, so we need to provide the GitHub Action with AWS credentials for a AWS role that allows that. We're using https://github.com/aws-actions/configure-aws-credentials to grant the credentials, and https://github.com/guardian/cdk to create the AWS Role (as we're adding cdk, we get half a dozen new files in the new `cdk` folder!). Specific IAM permissions required --------------------------------- Even though all the FAPI client does, in terms of S3 API calls, is call `getObject`, we need more than the `s3:GetObject` permission. We also need `s3:ListBucket` because FAPI sometimes has to request objects that don't exist ...and without `s3:ListBucket`, S3 will throw a `AccessDenied` error even tho' you're possess the `s3:GetObject permission`: https://stackoverflow.com/a/56027548/438886 Abusing the repositories field ------------------------------ Try to be specific to grant just this repo permissions Note that I seem to be having to abuse the `repositories` field a bit (is this field badly named?) in order to get this `repo:guardian/facia-scala-client:*` value: ``` - Action: sts:AssumeRoleWithWebIdentity Condition: StringLike: token.actions.githubusercontent.com:sub: repo:guardian/facia-scala-client:* ``` ...which is apparently the format required: aws-actions/configure-aws-credentials#306 (comment) Co-authored-by: Akash Askoolum <[email protected]>
- Loading branch information