Skip to content

Commit 57c3bb0

Browse files
flochazsaragerion
flochaz
and
saragerion
authored
Update CONTRIBUTING.md
Co-authored-by: Sara Gerion <[email protected]>
1 parent ee00ffc commit 57c3bb0

File tree

1 file changed

+13
-1
lines changed

1 file changed

+13
-1
lines changed

Diff for: CONTRIBUTING.md

+13-1
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,19 @@ Example: `DISABLE_TEARDOWN=true AWS_PROFILE=ara npx jest --group=integ/other/exa
129129

130130
You can run the end-to-end tests automatically on your forked project by following these steps:
131131
1. Create an IAM role in your AWS account
132-
As mention earlier we are leveraging CDK to deploy and clean resources on AWS. Therefore to run those tests through github actions you will need to grant specific permissions to your workflow. To do so you can leverage [@pahud/cdk-github-oidc](https://constructs.dev/packages/@pahud/cdk-github-oidc) construct which setup the right resources to leverage [Github OpenID Connect](https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/) mechanism.
132+
As mentioned above in this page, we are leveraging CDK to deploy and consequently clean-up resources on AWS. Therefore to run those tests through Github actions you will need to grant specific permissions to your workflow.
133+
134+
We recommend following [Amazon IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) for the AWS credentials used in GitHub Actions workflows, including:
135+
* Do not store credentials in your repository's code.
136+
* [Grant least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) to the credentials used in GitHub Actions workflows. Grant only the permissions required to perform the actions in your GitHub Actions workflows.
137+
* [Monitor the activity](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#keep-a-log) of the credentials used in GitHub Actions workflows.
138+
139+
For an example of how to create a role in CDK, you can look at [@pahud/cdk-github-oidc](https://constructs.dev/packages/@pahud/cdk-github-oidc) construct.
140+
141+
More information about:
142+
143+
- [Github OpenID Connect](https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/
144+
- ["Configure AWS Credentials" Action For GitHub Actions](https://github.com/aws-actions/configure-aws-credentials/)
133145
1. Add your new role into your Github fork secrets under `AWS_ROLE_ARN_TO_ASSUME`.
134146
1. Run manually `run-e2e-tests` workflow.
135147

0 commit comments

Comments
 (0)