diff --git a/.github/workflows/release-IPA-metrics.yml b/.github/workflows/release-IPA-metrics.yml index a21575f83d..565be5ed7d 100644 --- a/.github/workflows/release-IPA-metrics.yml +++ b/.github/workflows/release-IPA-metrics.yml @@ -8,6 +8,7 @@ on: permissions: issues: write contents: write + id-token: write jobs: # Generates and uploads the IPA validation metrics to S3 @@ -40,22 +41,27 @@ jobs: working-directory: tools/spectral/ipa/metrics/scripts run: node runMetricCollection.js "${{ github.workspace }}/v2.json" + - name: aws configure + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ vars.IPA_METRIC_COLLECTION_AWS_S3_ROLE_TO_ASSUME_STAGING}} + aws-region: ${{ vars.AWS_DEFAULT_REGION}} + - name: Dump Metric Collection Job Data to S3 env: - AWS_ACCESS_KEY_ID: ${{ secrets.IPA_S3_BUCKET_DW_PROD_USERNAME }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.IPA_S3_BUCKET_DW_PROD_PASSWORD }} - S3_BUCKET_PREFIX: ${{ secrets.IPA_S3_BUCKET_DW_PROD_PREFIX }} + AWS_REGION: ${{ vars.AWS_DEFAULT_REGION}} + S3_BUCKET_PREFIX: ${{ secrets.IPA_S3_BUCKET_DW_STAGING_PREFIX}} working-directory: tools/spectral/ipa/metrics/scripts run: node dataDump.js - failure-handler: - name: Failure Handler - needs: [ release-IPA-metrics ] - if: ${{ failure() }} - uses: ./.github/workflows/failure-handler.yml - with: - env: 'dev' - release_name: "IPA Metrics" - team_id: ${{ vars.JIRA_TEAM_ID_APIX_1 }} - secrets: - jira_api_token: ${{ secrets.JIRA_API_TOKEN }} +# failure-handler: +# name: Failure Handler +# needs: [ release-IPA-metrics ] +# if: ${{ failure() }} +# uses: ./.github/workflows/failure-handler.yml +# with: +# env: 'dev' +# release_name: "IPA Metrics" +# team_id: ${{ vars.JIRA_TEAM_ID_APIX_1 }} +# secrets: +# jira_api_token: ${{ secrets.JIRA_API_TOKEN }} diff --git a/tools/spectral/ipa/metrics/metricS3Upload.js b/tools/spectral/ipa/metrics/metricS3Upload.js index b3787322c1..54602561e3 100644 --- a/tools/spectral/ipa/metrics/metricS3Upload.js +++ b/tools/spectral/ipa/metrics/metricS3Upload.js @@ -2,7 +2,7 @@ import { PutObjectCommand, S3ServiceException } from '@aws-sdk/client-s3'; import config from './config.js'; import path from 'path'; import fs from 'node:fs'; -import { getS3Client, getS3FilePath } from './utils/dataDumpUtils.js'; +import { getS3FilePath, getS3Client } from './utils/dataDumpUtils.js'; /** * Upload IPA product metrics to Data Warehouse S3 diff --git a/tools/spectral/ipa/metrics/utils/dataDumpUtils.js b/tools/spectral/ipa/metrics/utils/dataDumpUtils.js index 23362e9837..d39fb87411 100644 --- a/tools/spectral/ipa/metrics/utils/dataDumpUtils.js +++ b/tools/spectral/ipa/metrics/utils/dataDumpUtils.js @@ -10,9 +10,7 @@ function loadS3Config() { } return { aws: { - accessKeyId: process.env.AWS_ACCESS_KEY_ID, - secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY, - region: 'us-east-1', + region: process.env.AWS_REGION, }, s3: { prefix: process.env.S3_BUCKET_PREFIX, @@ -29,14 +27,14 @@ export function getS3FilePath() { return { bucketName, key }; } +/** + * Gets an S3 client configured to use AssumeRole credentials + * @returns {S3Client} Configured S3 client + */ export function getS3Client() { - const AWSConfig = loadS3Config(); + const S3Config = loadS3Config(); - return new S3Client({ - credentials: { - accessKeyId: AWSConfig.aws.accessKeyId, - secretAccessKey: AWSConfig.aws.secretAccessKey, - }, - region: AWSConfig.aws.region, - }); + // When running in GitHub Actions with aws-actions/configure-aws-credentials, + // the SDK will automatically use the credentials from the environment + return new S3Client({ region: S3Config.aws.region }); }