From dd037a28bf1aa4fbee86cbe518d27a3b2b5b708f Mon Sep 17 00:00:00 2001
From: Yeliz Henden <yeliz.henden@mongodb.com>
Date: Tue, 18 Mar 2025 15:58:12 +0000
Subject: [PATCH 1/4] PoC: AssumeRole approach for IPA Metric Collection

---
 .github/workflows/release-IPA-metrics.yml     | 13 ++++++++----
 tools/spectral/ipa/metrics/metricS3Upload.js  |  5 ++++-
 .../ipa/metrics/utils/dataDumpUtils.js        | 20 +++++++++----------
 3 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/release-IPA-metrics.yml b/.github/workflows/release-IPA-metrics.yml
index a21575f83d..5adb6ecda6 100644
--- a/.github/workflows/release-IPA-metrics.yml
+++ b/.github/workflows/release-IPA-metrics.yml
@@ -40,11 +40,16 @@ jobs:
         working-directory: tools/spectral/ipa/metrics/scripts
         run: node runMetricCollection.js "${{ github.workspace }}/v2.json"
 
+      - name: aws configure
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.IPA_METRIC_COLLECTION_AWS_S3_ROLE_TO_ASSUME_STAGING}}
+          aws-region: ${{ vars.AWS_DEFAULT_REGION}}
+
       - name: Dump Metric Collection Job Data to S3
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.IPA_S3_BUCKET_DW_PROD_USERNAME }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.IPA_S3_BUCKET_DW_PROD_PASSWORD }}
-          S3_BUCKET_PREFIX: ${{ secrets.IPA_S3_BUCKET_DW_PROD_PREFIX }}
+        with:
+          AWS_REGION: ${{ vars.AWS_DEFAULT_REGION}}
+          S3_BUCKET_PREFIX: ${{ secrets.IPA_S3_BUCKET_DW_STAGING_PREFIX}}
         working-directory: tools/spectral/ipa/metrics/scripts
         run: node dataDump.js
 
diff --git a/tools/spectral/ipa/metrics/metricS3Upload.js b/tools/spectral/ipa/metrics/metricS3Upload.js
index b3787322c1..07b12cabed 100644
--- a/tools/spectral/ipa/metrics/metricS3Upload.js
+++ b/tools/spectral/ipa/metrics/metricS3Upload.js
@@ -2,7 +2,10 @@ import { PutObjectCommand, S3ServiceException } from '@aws-sdk/client-s3';
 import config from './config.js';
 import path from 'path';
 import fs from 'node:fs';
-import { getS3Client, getS3FilePath } from './utils/dataDumpUtils.js';
+import {
+  getS3FilePath,
+  getS3Client
+} from './utils/dataDumpUtils.js';
 
 /**
  * Upload IPA product metrics to Data Warehouse S3
diff --git a/tools/spectral/ipa/metrics/utils/dataDumpUtils.js b/tools/spectral/ipa/metrics/utils/dataDumpUtils.js
index 23362e9837..d39fb87411 100644
--- a/tools/spectral/ipa/metrics/utils/dataDumpUtils.js
+++ b/tools/spectral/ipa/metrics/utils/dataDumpUtils.js
@@ -10,9 +10,7 @@ function loadS3Config() {
   }
   return {
     aws: {
-      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
-      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
-      region: 'us-east-1',
+      region: process.env.AWS_REGION,
     },
     s3: {
       prefix: process.env.S3_BUCKET_PREFIX,
@@ -29,14 +27,14 @@ export function getS3FilePath() {
   return { bucketName, key };
 }
 
+/**
+ * Gets an S3 client configured to use AssumeRole credentials
+ * @returns {S3Client} Configured S3 client
+ */
 export function getS3Client() {
-  const AWSConfig = loadS3Config();
+  const S3Config = loadS3Config();
 
-  return new S3Client({
-    credentials: {
-      accessKeyId: AWSConfig.aws.accessKeyId,
-      secretAccessKey: AWSConfig.aws.secretAccessKey,
-    },
-    region: AWSConfig.aws.region,
-  });
+  // When running in GitHub Actions with aws-actions/configure-aws-credentials,
+  // the SDK will automatically use the credentials from the environment
+  return new S3Client({ region: S3Config.aws.region });
 }

From 369b7cd187ad576d5eaafeb49e186c1cb8153109 Mon Sep 17 00:00:00 2001
From: Yeliz Henden <yeliz.henden@mongodb.com>
Date: Tue, 18 Mar 2025 16:17:46 +0000
Subject: [PATCH 2/4] prettier fix

---
 tools/spectral/ipa/metrics/metricS3Upload.js | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/tools/spectral/ipa/metrics/metricS3Upload.js b/tools/spectral/ipa/metrics/metricS3Upload.js
index 07b12cabed..54602561e3 100644
--- a/tools/spectral/ipa/metrics/metricS3Upload.js
+++ b/tools/spectral/ipa/metrics/metricS3Upload.js
@@ -2,10 +2,7 @@ import { PutObjectCommand, S3ServiceException } from '@aws-sdk/client-s3';
 import config from './config.js';
 import path from 'path';
 import fs from 'node:fs';
-import {
-  getS3FilePath,
-  getS3Client
-} from './utils/dataDumpUtils.js';
+import { getS3FilePath, getS3Client } from './utils/dataDumpUtils.js';
 
 /**
  * Upload IPA product metrics to Data Warehouse S3

From bcf9ba40e59718224cade7cce4fdd96f421e9e08 Mon Sep 17 00:00:00 2001
From: Yeliz Henden <yeliz.henden@mongodb.com>
Date: Tue, 18 Mar 2025 17:02:35 +0000
Subject: [PATCH 3/4] fix env variables

---
 .github/workflows/release-IPA-metrics.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-IPA-metrics.yml b/.github/workflows/release-IPA-metrics.yml
index 5adb6ecda6..cb631e0c2c 100644
--- a/.github/workflows/release-IPA-metrics.yml
+++ b/.github/workflows/release-IPA-metrics.yml
@@ -47,7 +47,7 @@ jobs:
           aws-region: ${{ vars.AWS_DEFAULT_REGION}}
 
       - name: Dump Metric Collection Job Data to S3
-        with:
+        env:
           AWS_REGION: ${{ vars.AWS_DEFAULT_REGION}}
           S3_BUCKET_PREFIX: ${{ secrets.IPA_S3_BUCKET_DW_STAGING_PREFIX}}
         working-directory: tools/spectral/ipa/metrics/scripts

From 8693fba2287ba9d35a5850e0f5920223374c1c96 Mon Sep 17 00:00:00 2001
From: Yeliz Henden <yeliz.henden@mongodb.com>
Date: Tue, 18 Mar 2025 17:11:17 +0000
Subject: [PATCH 4/4] id token fix

---
 .github/workflows/release-IPA-metrics.yml | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/release-IPA-metrics.yml b/.github/workflows/release-IPA-metrics.yml
index cb631e0c2c..565be5ed7d 100644
--- a/.github/workflows/release-IPA-metrics.yml
+++ b/.github/workflows/release-IPA-metrics.yml
@@ -8,6 +8,7 @@ on:
 permissions:
   issues: write
   contents: write
+  id-token: write
 
 jobs:
   # Generates and uploads the IPA validation metrics to S3
@@ -53,14 +54,14 @@ jobs:
         working-directory: tools/spectral/ipa/metrics/scripts
         run: node dataDump.js
 
-  failure-handler:
-    name: Failure Handler
-    needs: [ release-IPA-metrics ]
-    if: ${{ failure() }}
-    uses: ./.github/workflows/failure-handler.yml
-    with:
-      env: 'dev'
-      release_name: "IPA Metrics"
-      team_id: ${{ vars.JIRA_TEAM_ID_APIX_1 }}
-    secrets:
-      jira_api_token: ${{ secrets.JIRA_API_TOKEN }}
+#  failure-handler:
+#    name: Failure Handler
+#    needs: [ release-IPA-metrics ]
+#    if: ${{ failure() }}
+#    uses: ./.github/workflows/failure-handler.yml
+#    with:
+#      env: 'dev'
+#      release_name: "IPA Metrics"
+#      team_id: ${{ vars.JIRA_TEAM_ID_APIX_1 }}
+#    secrets:
+#      jira_api_token: ${{ secrets.JIRA_API_TOKEN }}