.github/workflows/aws-auth.yml

name: Configure AWS Credentials

on:
  workflow_call:
    inputs:
      aws-region:
        type: string
        required: true
      environment-name:
        type: string
    secrets:
      role-to-assume:
        required: true
      gpg-passphrase:
        required: true
    outputs:
      aws-access-key-id:
        value: ${{ jobs.oidc-auth.outputs.aws-access-key-id }}
      aws-secret-access-key:
        value: ${{ jobs.oidc-auth.outputs.aws-secret-access-key }}
      aws-session-token:
        value: ${{ jobs.oidc-auth.outputs.aws-session-token }}

permissions:
  contents: read
  id-token: write

jobs:
  oidc-auth:
    name: OIDC Auth
    runs-on: ubuntu-latest
    environment: ${{ inputs.environment-name }}
    permissions:
      contents: read
      id-token: write
    outputs:
      aws-access-key-id: ${{ steps.encrypt-aws-access-key-id.outputs.out }}
      aws-secret-access-key: ${{ steps.encrypt-aws-secret-access-key.outputs.out }}
      aws-session-token: ${{ steps.encrypt-aws-session-token.outputs.out }}
    steps:
      - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            sts.us-west-2.amazonaws.com:443
      - id: auth
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          aws-region: us-west-2
          role-to-assume: "${{ secrets.role-to-assume }}"
      - name: Encrypt aws-access-key-id
        id: encrypt-aws-access-key-id
        run: |
          encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_ACCESS_KEY_ID") | base64 -w0)
          echo "out=$encrypted" >> $GITHUB_OUTPUT
        env:
          GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}
      - name: Encrypt aws-secret-access-key
        id: encrypt-aws-secret-access-key
        run: |
          encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SECRET_ACCESS_KEY") | base64 -w0)
          echo "out=$encrypted" >> $GITHUB_OUTPUT
        env:
          GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}
      - name: Encrypt aws-session-token
        id: encrypt-aws-session-token
        run: |
          encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SESSION_TOKEN") | base64 -w0)
          echo "out=$encrypted" >> $GITHUB_OUTPUT
        env:
          GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}