ci: assume shared AWS OIDC role for athena (CORE-687)

haritamar · claude · haritamar · commit 85c146798712 · 2026-04-26T20:23:48.000+03:00
elementary-cli and dbt-data-reliability share a single IAM role
(github-actions-elementary-oss) provisioned in elementary-internal.
This change wires up the dbt-data-reliability side:

- test-warehouse.yml: add id-token: write at job level + a
  configure-aws-credentials step gated on inputs.warehouse-type ==
  'athena'.
- cleanup-stale-schemas.yml: add id-token: write at job level + a
  configure-aws-credentials step gated on matrix.warehouse-type ==
  'athena' (only the athena matrix entry needs AWS).
- test-all-warehouses.yml: grant id-token: write to the test-cloud
  caller job, since it calls test-warehouse.yml as a reusable workflow
  and GitHub requires id-token: write to be granted by the caller.

Pairs with the profile-template change in this same branch
(integration_tests/profiles/profiles.yml.j2: drop static AWS keys,
add work_group: oss_tests). Requires AWS_OIDC_ROLE_ARN to be set as
a repo secret with the role ARN exported by the matching
elementary-internal Terraform PR.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/cleanup-stale-schemas.yml b/.github/workflows/cleanup-stale-schemas.yml
@@ -22,6 +22,9 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      # Mint an OIDC token to assume the shared elementary-oss AWS role
+      # (used by the athena matrix entry below).
+      id-token: write
     env:
       WAREHOUSE: ${{ matrix.warehouse-type }}
       MAX_AGE_HOURS: ${{ inputs.max-age-hours || '24' }}
@@ -43,6 +46,13 @@ jobs:
             exit 1
           fi
 
+      - name: Configure AWS credentials
+        if: matrix.warehouse-type == 'athena'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          aws-region: eu-west-1
+
       - name: Checkout dbt package
         uses: actions/checkout@v6
         with:
diff --git a/.github/workflows/test-all-warehouses.yml b/.github/workflows/test-all-warehouses.yml
@@ -138,6 +138,10 @@ jobs:
     needs: [check-fork-status, approve-fork]
     permissions:
       contents: read
+      # Required so the called test-warehouse.yml can mint an OIDC token to
+      # assume the AWS role (only used for the athena matrix entry); per
+      # GitHub, id-token: write must be granted by the calling workflow.
+      id-token: write
     if: |
       ! cancelled() &&
       needs.check-fork-status.result == 'success' &&
diff --git a/.github/workflows/test-warehouse.yml b/.github/workflows/test-warehouse.yml
@@ -63,6 +63,8 @@ jobs:
     timeout-minutes: 60
     permissions:
       contents: read
+      # Mint an OIDC token to assume the shared elementary-oss AWS role.
+      id-token: write
     env:
       WAREHOUSE: ${{ inputs.warehouse-type }}
       DBT_VERSION: ${{ inputs.dbt-version }}
@@ -85,6 +87,13 @@ jobs:
           path: dbt-data-reliability
           ref: ${{ inputs.dbt-data-reliability-ref }}
 
+      - name: Configure AWS credentials
+        if: inputs.warehouse-type == 'athena'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          aws-region: eu-west-1
+
       - name: Start Postgres
         if: inputs.warehouse-type == 'postgres'
         working-directory: ${{ env.TESTS_DIR }}
