cdk-pipelines-github icon indicating copy to clipboard operation
cdk-pipelines-github copied to clipboard

Published 20 hours ago verified publisher icon cdklabs

Use separate GHA roles per stage

Open danieljamesscott opened this issue 2 years ago • 3 comments

I would like to use a slightly different authentication pattern where each stage uses its own GHA role. The current configuration appears to only support a single role for the whole pipeline, which is then used to assume the CDK role for upload/deployment.

Would it be possible to modify the stage configuration pipeline.addStageWithGitHubOptions() to support a separate role per stage? Would you be open to accepting a PR which does this?

Background:

The reason for this request is that with a single role, it seems like we would need to either:

  1. Have one stage account designated as the 'pipeline' account, which contains the GHA role and then have the other accounts setup with cdk bootstrap to trust it. OR
  2. Have a completely separate pipeline account to contain the GHA role which is trusted by the stage accounts.

The above change, to support a role per stage, would make the configuration closer to the cdk pattern, where we 'bootstrap' the accounts first, to create the roles, with no need for an additional account, or mixing 'pipeline' and 'stage' accounts.

danieljamesscott avatar Aug 16 '22 08:08 danieljamesscott

I like that idea! The concept of 'pipeline' account doesn't make much sense in the world of GitHub Actions and OIDC. Actually... the GitHub Actions is the pipeline account 😄

nikovirtala avatar Aug 16 '22 09:08 nikovirtala

@kaizencc , would you consider a PR to implement the above?

danieljamesscott avatar Aug 18 '22 07:08 danieljamesscott

For reference: https://github.com/cdklabs/cdk-pipelines-github/pull/307#discussion_r957808424

kaizencc avatar Aug 29 '22 21:08 kaizencc