Assume IAM role to sign container images instead of using access keys

alphagov · Feb 1, 2024 · a251f45 · a251f45
1 parent 686334e
commit a251f45
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/.github/workflows/sign.yaml b/.github/workflows/sign.yaml
@@ -16,6 +16,7 @@ jobs:
         version: ['3.1', '3.2', '3.3']
     permissions:
       packages: write
+      id-token: write
     steps:
       - name: Login to GHCR
         uses: docker/[email protected]
@@ -29,9 +30,7 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/[email protected]
         with:
-          # TODO: Remove long-lived keys and switch to OIDC once https://github.com/github/roadmap/issues/249 lands.
-          aws-access-key-id: ${{ secrets.AWS_GOVUK_ECR_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_GOVUK_ECR_SECRET_ACCESS_KEY }}
+          role-to-assume: "arn:aws:iam::172025368201:role/github_action_ecr_push"
           aws-region: eu-west-1
       - name: Create attestation
         run: |