From e3582a8204fac7a9c5add5be097d98658e0d1096 Mon Sep 17 00:00:00 2001
From: Willem Basson <wlmbasson@gmail.com>
Date: Sun, 23 Apr 2023 11:35:44 +0200
Subject: [PATCH] Assume role instead of using IAM keys directly

---
 .github/workflows/aws_ecr.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/aws_ecr.yml b/.github/workflows/aws_ecr.yml
index 6f959fe36c..bc3ee9900f 100644
--- a/.github/workflows/aws_ecr.yml
+++ b/.github/workflows/aws_ecr.yml
@@ -30,6 +30,8 @@ concurrency:
 jobs:
   build:
     name: Build image and push to ECR
+    permissions:
+      id-token: write # This is required for requesting the JWT
     runs-on: ubuntu-latest
 
     outputs:
@@ -85,9 +87,9 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: af-south-1
+          role-to-assume: arn:aws:iam::402177810328:role/cicd
+          role-session-name: github-cicd
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2