From 31ba5704d741b0ac66842cd898d2a58278517073 Mon Sep 17 00:00:00 2001
From: Connor Macqueen <138442814+ConnorTCO@users.noreply.github.com>
Date: Tue, 30 Jan 2024 10:23:59 +0000
Subject: [PATCH] Tmi2 532/run actions as aws role (#97)

* Update imageBuild.yml

* Update promoteToProd.yml
---
 .github/workflows/imageBuild.yml    | 10 +++++++---
 .github/workflows/promoteToProd.yml | 10 +++++++---
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/imageBuild.yml b/.github/workflows/imageBuild.yml
index a58d603e..0cf69293 100644
--- a/.github/workflows/imageBuild.yml
+++ b/.github/workflows/imageBuild.yml
@@ -53,6 +53,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+        id-token: write
+        contents: read
+
     # Need to check here as create event can't be filtered by branch name: https://github.com/orgs/community/discussions/54860
     if: github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/release')
 
@@ -73,10 +77,10 @@ jobs:
           cache: maven
 
       - name: Setup AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v3
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: gap-apply-applicant-backend
           aws-region: ${{ env.AWS_REGION }}
 
       - name: Login to AWS ECR
diff --git a/.github/workflows/promoteToProd.yml b/.github/workflows/promoteToProd.yml
index 4be1d8ad..09f443eb 100644
--- a/.github/workflows/promoteToProd.yml
+++ b/.github/workflows/promoteToProd.yml
@@ -15,12 +15,16 @@ jobs:
     environment: AWS
     runs-on: ubuntu-latest
 
+    permissions:
+        id-token: write
+        contents: read
+
     steps:
       - name: Setup AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v3
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: gap-apply-applicant-backend
           aws-region: ${{ env.AWS_REGION }}
 
       - name: Login to AWS ECR