From 4bd7c4d66bccd3f4d6c326c5ab1e75a6f83f4388 Mon Sep 17 00:00:00 2001
From: PPawlowski <piotr@devopswizards.com>
Date: Tue, 21 Oct 2025 22:43:51 +0200
Subject: [PATCH 1/2] Use OIDC in `Deploy container image to kubernetes
 cluster` when authenticating to AWS

---
 .github/workflows/deploy_container_image.yml | 35 +++++++++++++-------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/deploy_container_image.yml b/.github/workflows/deploy_container_image.yml
index eb289ac..171b596 100644
--- a/.github/workflows/deploy_container_image.yml
+++ b/.github/workflows/deploy_container_image.yml
@@ -3,6 +3,19 @@ name: Deploy container image to kubernetes cluster
 on:
   workflow_call:
     inputs:
+      aws_ecr_iam_role_name:
+        description: 'IAM role name for ECR push'
+        type: string
+        required: false
+      aws_eks_iam_role_name:
+        description: 'IAM role name for EKS access'
+        type: string
+        required: false
+      aws_region:
+        description: 'AWS region'
+        type: string
+        required: false
+        default: 'eu-west-1'
       deploy:
         description: 'Deploy to kubernetes cluster'
         type: boolean
@@ -38,11 +51,8 @@ on:
         required: false
         default: 'v1.23.4'
     secrets:
-      aws_access_key_id:
-        description: 'AWS access key ID'
-        required: true
-      aws_secret_access_key:
-        description: 'AWS secret access key'
+      aws_account_id:
+        description: 'AWS account ID'
         required: true
       temporary_registry_token:
         description: 'GitHub token'
@@ -62,6 +72,7 @@ jobs:
     permissions:
       packages: read
       contents: read
+      id-token: write
     outputs:
       image: ${{ steps.set_outputs.outputs.image }}
     steps:      
@@ -74,9 +85,10 @@ jobs:
         id: aws-config
         uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
-          aws-access-key-id: ${{ secrets.aws_access_key_id }}
-          aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
-          aws-region: eu-west-1
+          role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ inputs.aws_ecr_iam_role_name }}
+          role-duration-seconds: 900
+          role-session-name: GithubActionsRoleSession
+          aws-region: ${{ inputs.aws_region }}
           mask-aws-account-id: true
       
       - name: Login to AWS ECR
@@ -105,11 +117,10 @@ jobs:
         if: ${{fromJson( inputs.deploy )}}
         uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
-          aws-access-key-id: ${{ secrets.aws_access_key_id }}
-          aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
-          aws-region: eu-west-1
           role-to-assume: arn:aws:iam::${{ steps.aws-config.outputs.aws-account-id }}:role/K8sAdmin
-          role-duration-seconds: 1200
+          role-duration-seconds: 900
+          role-session-name: GithubActionsRoleSession
+          aws-region: ${{ inputs.aws_region }}
 
       - name: Setup kubectl
         if: ${{fromJson( inputs.deploy )}}

From 51d1cbe67a2515178a2fce1d8764cd29bbfd45ed Mon Sep 17 00:00:00 2001
From: PPawlowski <piotr@devopswizards.com>
Date: Wed, 22 Oct 2025 12:09:30 +0200
Subject: [PATCH 2/2] Update EKS deploy iam tole reference

---
 .github/workflows/deploy_container_image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy_container_image.yml b/.github/workflows/deploy_container_image.yml
index 171b596..596bcd9 100644
--- a/.github/workflows/deploy_container_image.yml
+++ b/.github/workflows/deploy_container_image.yml
@@ -117,7 +117,7 @@ jobs:
         if: ${{fromJson( inputs.deploy )}}
         uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
-          role-to-assume: arn:aws:iam::${{ steps.aws-config.outputs.aws-account-id }}:role/K8sAdmin
+          role-to-assume: arn:aws:iam::${{ steps.aws-config.outputs.aws-account-id }}:role/${{ inputs.aws_eks_iam_role_name }}
           role-duration-seconds: 900
           role-session-name: GithubActionsRoleSession
           aws-region: ${{ inputs.aws_region }}