test generating creds via AWS_ROLE_ARN in CI

rapidsai · Sep 17, 2024 · 03a0e82 · 03a0e82
1 parent 5723d66
commit 03a0e82
Show file tree

Hide file tree

Showing 6 changed files with 186 additions and 0 deletions.
diff --git a/.github/actions/build-and-test-feature/action.yml b/.github/actions/build-and-test-feature/action.yml
@@ -6,6 +6,7 @@ inputs:
   args: {type: string, required: true}
   gh_token: {type: string, defaut: '', required: false}
   vault_host: {type: string, defaut: '', required: false}
+  aws_role_arn: {type: string, defaut: '', required: false}
   rw_sccache_bucket: {type: string, defaut: '', required: false}
   rw_sccache_region: {type: string, defaut: '', required: false}
 
@@ -30,5 +31,6 @@ runs:
         VAULT_S3_TTL: "900" # 15 minutes
         gh_token: "${{ inputs.gh_token }}"
         vault_host: "${{ inputs.vault_host }}"
+        aws_role_arn: "${{ inputs.aws_role_arn }}"
         rw_sccache_bucket: "${{ inputs.rw_sccache_bucket }}"
         rw_sccache_region: "${{ inputs.rw_sccache_region }}"
diff --git a/.github/workflows/build-and-test-feature.yml b/.github/workflows/build-and-test-feature.yml
@@ -38,5 +38,6 @@ jobs:
           args: "${{ inputs.args }}"
           gh_token: "${{ secrets.GIST_REPO_READ_ORG_GITHUB_TOKEN }}"
           vault_host: "${{ secrets.GIST_REPO_READ_ORG_GITHUB_TOKEN && 'https://vault.ops.k8s.rapids.ai' || '' }}"
+          aws_role_arn: "${{ secrets.GIST_REPO_READ_ORG_GITHUB_TOKEN && 'arn:aws:iam::279114543810:role/nv-gha-token-sccache-devs' || '' }}"
           rw_sccache_bucket: "${{ secrets.GIST_REPO_READ_ORG_GITHUB_TOKEN && 'rapids-sccache-devs' || '' }}"
           rw_sccache_region: "${{ vars.AWS_REGION }}"
diff --git a/features/test/utils/scenarios.json b/features/test/utils/scenarios.json
@@ -5,6 +5,7 @@
     "containerEnv": {
       "gh_token": "${localEnv:gh_token}",
       "vault_host": "${localEnv:vault_host}",
+      "aws_role_arn": "${localEnv:aws_role_arn}",
       "VAULT_S3_TTL": "${localEnv:VAULT_S3_TTL}",
       "rw_sccache_bucket": "${localEnv:rw_sccache_bucket}",
       "rw_sccache_region": "${localEnv:rw_sccache_region}"
@@ -49,6 +50,7 @@
     "containerEnv": {
       "gh_token": "${localEnv:gh_token}",
       "vault_host": "${localEnv:vault_host}",
+      "aws_role_arn": "${localEnv:aws_role_arn}",
       "VAULT_S3_TTL": "${localEnv:VAULT_S3_TTL}",
       "rw_sccache_bucket": "${localEnv:rw_sccache_bucket}",
       "rw_sccache_region": "${localEnv:rw_sccache_region}"
@@ -93,6 +95,7 @@
     "containerEnv": {
       "gh_token": "${localEnv:gh_token}",
       "vault_host": "${localEnv:vault_host}",
+      "aws_role_arn": "${localEnv:aws_role_arn}",
       "VAULT_S3_TTL": "${localEnv:VAULT_S3_TTL}",
       "rw_sccache_bucket": "${localEnv:rw_sccache_bucket}",
       "rw_sccache_region": "${localEnv:rw_sccache_region}"

diff --git a/features/test/utils/ubuntu18.04.sh b/features/test/utils/ubuntu18.04.sh
@@ -24,6 +24,7 @@ utils_profile_script="$(find /etc/profile.d/ -type f -name '*-devcontainer-utils
 reset_state() {
     export GH_TOKEN=;
     export VAULT_HOST=;
+    export AWS_ROLE_ARN=;
     export SCCACHE_BUCKET=;
     export SCCACHE_REGION=;
     export AWS_ACCESS_KEY_ID=;
@@ -32,6 +33,7 @@ reset_state() {
 
     export -n GH_TOKEN;
     export -n VAULT_HOST;
+    export -n AWS_ROLE_ARN;
     export -n SCCACHE_BUCKET;
     export -n SCCACHE_REGION;
     export -n AWS_ACCESS_KEY_ID;
@@ -40,6 +42,7 @@ reset_state() {
 
     unset GH_TOKEN;
     unset VAULT_HOST;
+    unset AWS_ROLE_ARN;
     unset SCCACHE_BUCKET;
     unset SCCACHE_REGION;
     unset AWS_ACCESS_KEY_ID;
@@ -183,6 +186,63 @@ if test -n "${gh_token:-}" \
     check "bad stored creds with GH_TOKEN, VAULT_HOST, and SCCACHE_BUCKET should regenerate credentials" bad_stored_creds_with_GH_TOKEN_VAULT_HOST_and_SCCACHE_BUCKET_should_regenerate_credentials;
 fi
 
+if test -n "${gh_token:-}" \
+&& test -n "${aws_role_arn:-}" \
+&& test -n "${rw_sccache_bucket:-}"; then
+
+    no_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_generate_credentials() {
+        reset_state;
+        GH_TOKEN="${gh_token}" \
+        AWS_ROLE_ARN="${aws_role_arn}" \
+        SCCACHE_BUCKET="${rw_sccache_bucket}" \
+        SCCACHE_REGION="${rw_sccache_region}" \
+        devcontainer-utils-post-attach-command;
+        expect_s3_cache_is_used;
+    }
+
+    check "no creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should generate credentials" no_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_generate_credentials;
+
+    existing_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_reuse_credentials() {
+        mv ~/.aws /tmp/;
+        reset_state;
+        cp -ar /tmp/.aws ~/;
+        GH_TOKEN="${gh_token}" \
+        AWS_ROLE_ARN="${aws_role_arn}" \
+        SCCACHE_BUCKET="${rw_sccache_bucket}" \
+        SCCACHE_REGION="${rw_sccache_region}" \
+        devcontainer-utils-post-attach-command;
+        expect_s3_cache_is_used;
+    }
+
+    check "existing creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should reuse credentials" existing_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_reuse_credentials;
+
+    should_use_provided_AWS_envvar_credentials() {
+        reset_state;
+        export SCCACHE_BUCKET="${rw_sccache_bucket}";
+        export SCCACHE_REGION="${rw_sccache_region}";
+        export AWS_ACCESS_KEY_ID="$(sed -n 's/aws_access_key_id=//p' /tmp/.aws/credentials 2>/dev/null)";
+        export AWS_SESSION_TOKEN="$(sed -n 's/aws_session_token=//p' /tmp/.aws/credentials 2>/dev/null)";
+        export AWS_SECRET_ACCESS_KEY="$(sed -n 's/aws_secret_access_key=//p' /tmp/.aws/credentials 2>/dev/null)";
+        devcontainer-utils-post-attach-command;
+        expect_s3_cache_is_used;
+    }
+
+    check "should use provided AWS envvar credentials" should_use_provided_AWS_envvar_credentials;
+
+    bad_stored_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_regenerate_credentials() {
+        reset_state;
+        write_bad_creds;
+        GH_TOKEN="${gh_token}" \
+        AWS_ROLE_ARN="${aws_role_arn}" \
+        SCCACHE_BUCKET="${rw_sccache_bucket}" \
+        SCCACHE_REGION="${rw_sccache_region}" \
+        devcontainer-utils-post-attach-command;
+        expect_s3_cache_is_used;
+    }
+
+    check "bad stored creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should regenerate credentials" bad_stored_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_regenerate_credentials;
+fi
+
 # Report result
 # If any of the checks above exited with a non-zero exit code, the test will fail.
 reportResults
diff --git a/features/test/utils/ubuntu20.04.sh b/features/test/utils/ubuntu20.04.sh
@@ -24,6 +24,7 @@ utils_profile_script="$(find /etc/profile.d/ -type f -name '*-devcontainer-utils
 reset_state() {
     export GH_TOKEN=;
     export VAULT_HOST=;
+    export AWS_ROLE_ARN=;
     export SCCACHE_BUCKET=;
     export SCCACHE_REGION=;
     export AWS_ACCESS_KEY_ID=;
@@ -32,6 +33,7 @@ reset_state() {
 
     export -n GH_TOKEN;
     export -n VAULT_HOST;
+    export -n AWS_ROLE_ARN;
     export -n SCCACHE_BUCKET;
     export -n SCCACHE_REGION;
     export -n AWS_ACCESS_KEY_ID;
@@ -40,6 +42,7 @@ reset_state() {
 
     unset GH_TOKEN;
     unset VAULT_HOST;
+    unset AWS_ROLE_ARN;
     unset SCCACHE_BUCKET;
     unset SCCACHE_REGION;
     unset AWS_ACCESS_KEY_ID;
@@ -183,6 +186,63 @@ if test -n "${gh_token:-}" \
     check "bad stored creds with GH_TOKEN, VAULT_HOST, and SCCACHE_BUCKET should regenerate credentials" bad_stored_creds_with_GH_TOKEN_VAULT_HOST_and_SCCACHE_BUCKET_should_regenerate_credentials;
 fi
 
+if test -n "${gh_token:-}" \
+&& test -n "${aws_role_arn:-}" \
+&& test -n "${rw_sccache_bucket:-}"; then
+
+    no_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_generate_credentials() {
+        reset_state;
+        GH_TOKEN="${gh_token}" \
+        AWS_ROLE_ARN="${aws_role_arn}" \
+        SCCACHE_BUCKET="${rw_sccache_bucket}" \
+        SCCACHE_REGION="${rw_sccache_region}" \
+        devcontainer-utils-post-attach-command;
+        expect_s3_cache_is_used;
+    }
+
+    check "no creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should generate credentials" no_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_generate_credentials;
+
+    existing_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_reuse_credentials() {
+        mv ~/.aws /tmp/;
+        reset_state;
+        cp -ar /tmp/.aws ~/;
+        GH_TOKEN="${gh_token}" \
+        AWS_ROLE_ARN="${aws_role_arn}" \
+        SCCACHE_BUCKET="${rw_sccache_bucket}" \
+        SCCACHE_REGION="${rw_sccache_region}" \
+        devcontainer-utils-post-attach-command;
+        expect_s3_cache_is_used;
+    }
+
+    check "existing creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should reuse credentials" existing_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_reuse_credentials;
+
+    should_use_provided_AWS_envvar_credentials() {
+        reset_state;
+        export SCCACHE_BUCKET="${rw_sccache_bucket}";
+        export SCCACHE_REGION="${rw_sccache_region}";
+        export AWS_ACCESS_KEY_ID="$(sed -n 's/aws_access_key_id=//p' /tmp/.aws/credentials 2>/dev/null)";
+        export AWS_SESSION_TOKEN="$(sed -n 's/aws_session_token=//p' /tmp/.aws/credentials 2>/dev/null)";
+        export AWS_SECRET_ACCESS_KEY="$(sed -n 's/aws_secret_access_key=//p' /tmp/.aws/credentials 2>/dev/null)";
+        devcontainer-utils-post-attach-command;
+        expect_s3_cache_is_used;
+    }
+
+    check "should use provided AWS envvar credentials" should_use_provided_AWS_envvar_credentials;
+
+    bad_stored_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_regenerate_credentials() {
+        reset_state;
+        write_bad_creds;
+        GH_TOKEN="${gh_token}" \
+        AWS_ROLE_ARN="${aws_role_arn}" \
+        SCCACHE_BUCKET="${rw_sccache_bucket}" \
+        SCCACHE_REGION="${rw_sccache_region}" \
+        devcontainer-utils-post-attach-command;
+        expect_s3_cache_is_used;
+    }
+
+    check "bad stored creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should regenerate credentials" bad_stored_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_regenerate_credentials;
+fi
+
 # Report result
 # If any of the checks above exited with a non-zero exit code, the test will fail.
 reportResults
diff --git a/features/test/utils/ubuntu22.04.sh b/features/test/utils/ubuntu22.04.sh
@@ -24,6 +24,7 @@ utils_profile_script="$(find /etc/profile.d/ -type f -name '*-devcontainer-utils
 reset_state() {
     export GH_TOKEN=;
     export VAULT_HOST=;
+    export AWS_ROLE_ARN=;
     export SCCACHE_BUCKET=;
     export SCCACHE_REGION=;
     export AWS_ACCESS_KEY_ID=;
@@ -32,6 +33,7 @@ reset_state() {
 
     export -n GH_TOKEN;
     export -n VAULT_HOST;
+    export -n AWS_ROLE_ARN;
     export -n SCCACHE_BUCKET;
     export -n SCCACHE_REGION;
     export -n AWS_ACCESS_KEY_ID;
@@ -40,6 +42,7 @@ reset_state() {
 
     unset GH_TOKEN;
     unset VAULT_HOST;
+    unset AWS_ROLE_ARN;
     unset SCCACHE_BUCKET;
     unset SCCACHE_REGION;
     unset AWS_ACCESS_KEY_ID;
@@ -183,6 +186,63 @@ if test -n "${gh_token:-}" \
     check "bad stored creds with GH_TOKEN, VAULT_HOST, and SCCACHE_BUCKET should regenerate credentials" bad_stored_creds_with_GH_TOKEN_VAULT_HOST_and_SCCACHE_BUCKET_should_regenerate_credentials;
 fi
 
+if test -n "${gh_token:-}" \
+&& test -n "${aws_role_arn:-}" \
+&& test -n "${rw_sccache_bucket:-}"; then
+
+    no_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_generate_credentials() {
+        reset_state;
+        GH_TOKEN="${gh_token}" \
+        AWS_ROLE_ARN="${aws_role_arn}" \
+        SCCACHE_BUCKET="${rw_sccache_bucket}" \
+        SCCACHE_REGION="${rw_sccache_region}" \
+        devcontainer-utils-post-attach-command;
+        expect_s3_cache_is_used;
+    }
+
+    check "no creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should generate credentials" no_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_generate_credentials;
+
+    existing_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_reuse_credentials() {
+        mv ~/.aws /tmp/;
+        reset_state;
+        cp -ar /tmp/.aws ~/;
+        GH_TOKEN="${gh_token}" \
+        AWS_ROLE_ARN="${aws_role_arn}" \
+        SCCACHE_BUCKET="${rw_sccache_bucket}" \
+        SCCACHE_REGION="${rw_sccache_region}" \
+        devcontainer-utils-post-attach-command;
+        expect_s3_cache_is_used;
+    }
+
+    check "existing creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should reuse credentials" existing_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_reuse_credentials;
+
+    should_use_provided_AWS_envvar_credentials() {
+        reset_state;
+        export SCCACHE_BUCKET="${rw_sccache_bucket}";
+        export SCCACHE_REGION="${rw_sccache_region}";
+        export AWS_ACCESS_KEY_ID="$(sed -n 's/aws_access_key_id=//p' /tmp/.aws/credentials 2>/dev/null)";
+        export AWS_SESSION_TOKEN="$(sed -n 's/aws_session_token=//p' /tmp/.aws/credentials 2>/dev/null)";
+        export AWS_SECRET_ACCESS_KEY="$(sed -n 's/aws_secret_access_key=//p' /tmp/.aws/credentials 2>/dev/null)";
+        devcontainer-utils-post-attach-command;
+        expect_s3_cache_is_used;
+    }
+
+    check "should use provided AWS envvar credentials" should_use_provided_AWS_envvar_credentials;
+
+    bad_stored_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_regenerate_credentials() {
+        reset_state;
+        write_bad_creds;
+        GH_TOKEN="${gh_token}" \
+        AWS_ROLE_ARN="${aws_role_arn}" \
+        SCCACHE_BUCKET="${rw_sccache_bucket}" \
+        SCCACHE_REGION="${rw_sccache_region}" \
+        devcontainer-utils-post-attach-command;
+        expect_s3_cache_is_used;
+    }
+
+    check "bad stored creds with GH_TOKEN, AWS_ROLE_ARN, and SCCACHE_BUCKET should regenerate credentials" bad_stored_creds_with_GH_TOKEN_AWS_ROLE_ARN_and_SCCACHE_BUCKET_should_regenerate_credentials;
+fi
+
 # Report result
 # If any of the checks above exited with a non-zero exit code, the test will fail.
 reportResults