pathogen-repo-build: create AWS IAM inline session policy

Adds a repo AWS IAM policy JSON template that is expected to be interpolated with environment variables: - FULL_REPO_NAME - REPO_NAME - PREFIX This is used in the pathogen-repo-build workflow to dynamically create repo specific inline session policy for the runtime AWS session, which will be added in the following commit. The policy template is modified from nextstrain/infra@b1ceb76
nextstrain · May 10, 2024 · 67c358d · 67c358d
1 parent 53cced0
commit 67c358d
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 1 deletion.
diff --git a/.github/workflows/pathogen-repo-build.yaml b/.github/workflows/pathogen-repo-build.yaml
@@ -255,6 +255,15 @@ jobs:
 
           echo "$secrets" | jq 'del(.github_token)' | "$NEXTSTRAIN_GITHUB_DIR"/bin/json-to-envvars | tee -a "$GITHUB_ENV"
 
+      - name: Create runtime AWS IAM inline session policy
+        env:
+          FULL_REPO_NAME: ${{ inputs.repo }}
+        run: |
+          export REPO_NAME="${FULL_REPO_NAME#*/}"
+          export PREFIX="${REPO_NAME}_"
+
+          aws_inline_session_policy=$("$NEXTSTRAIN_GITHUB_DIR"/bin/interpolate-env < "$NEXTSTRAIN_GITHUB_DIR"/text-templates/repo-aws-iam-policy.json | jq -c .)
+          echo "AWS_INLINE_SESSION_POLICY=$aws_inline_session_policy" | tee -a $GITHUB_ENV
       - if: inputs.runtime == 'aws-batch'
         uses: aws-actions/configure-aws-credentials@v4
         with:

diff --git a/.github/workflows/pathogen-repo-build.yaml.in b/.github/workflows/pathogen-repo-build.yaml.in
@@ -218,6 +218,16 @@ jobs:
           | "$NEXTSTRAIN_GITHUB_DIR"/bin/json-to-envvars
           | tee -a "$GITHUB_ENV"
 
+      - name: Create runtime AWS IAM inline session policy
+        env:
+          FULL_REPO_NAME: ${{ inputs.repo }}
+        run: |
+          export REPO_NAME="${FULL_REPO_NAME#*/}"
+          export PREFIX="${REPO_NAME}_"
+
+          aws_inline_session_policy=$("$NEXTSTRAIN_GITHUB_DIR"/bin/interpolate-env < "$NEXTSTRAIN_GITHUB_DIR"/text-templates/repo-aws-iam-policy.json | jq -c .)
+          echo "AWS_INLINE_SESSION_POLICY=$aws_inline_session_policy" | tee -a $GITHUB_ENV
+
       - &setup-aws-batch-credentials
         if: inputs.runtime == 'aws-batch'
         uses: aws-actions/configure-aws-credentials@v4

diff --git a/README.md b/README.md
@@ -111,9 +111,10 @@ Executable scripts that are used in our workflows.
 
 ## Workflow text templates
 
-Text templates for messages and summaries in our workflows.
+Text templates our workflows.
 
 - [attach-aws-batch](text-templates/attach-aws-batch.md)
+- [repo-aws-iam-policy](text-templates/repo-aws-iam-policy.json)
 
 
 ## Development tools for this repo itself

diff --git a/text-templates/repo-aws-iam-policy.json b/text-templates/repo-aws-iam-policy.json
@@ -0,0 +1,50 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "ListPublicData",
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::nextstrain-data",
+                "arn:aws:s3:::nextstrain-staging"
+            ],
+            "Condition": {
+                "StringLike": {
+                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
+                    "token.actions.githubusercontent.com:sub": "repo:${FULL_REPO_NAME}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*",
+                    "s3:prefix": [
+                        "files/workflows/${REPO_NAME}/*",
+                        "files/datasets/${REPO_NAME}/*",
+                        "${PREFIX}*.json"
+                    ]
+                }
+            }
+        },
+        {
+            "Sid": "ReadWritePublicData",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:PutObject"
+            ],
+            "Resource": [
+                "arn:aws:s3:::nextstrain-data/files/workflows/${REPO_NAME}/*",
+                "arn:aws:s3:::nextstrain-data/files/datasets/${REPO_NAME}/*",
+                "arn:aws:s3:::nextstrain-data/${PREFIX}*.json",
+                "arn:aws:s3:::nextstrain-staging/files/workflows/${REPO_NAME}/*",
+                "arn:aws:s3:::nextstrain-staging/files/datasets/${REPO_NAME}/*",
+                "arn:aws:s3:::nextstrain-staging/${PREFIX}*.json",
+                "arn:aws:s3:::nextstrain-staging/trial_*_${PREFIX}*.json"
+            ],
+            "Condition": {
+                "StringLike": {
+                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
+                    "token.actions.githubusercontent.com:sub": "repo:${FULL_REPO_NAME}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*"
+                }
+            }
+        }
+    ]
+}