ci: drop static AWS keys from athena profile (CORE-687) (#997)

haritamar · web-flow · commit ea58f5331e33 · 2026-04-27T11:28:15.000+03:00
diff --git a/.github/workflows/cleanup-stale-schemas.yml b/.github/workflows/cleanup-stale-schemas.yml
@@ -22,6 +22,9 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      # Mint an OIDC token to assume the shared elementary-oss AWS role
+      # (used by the athena matrix entry below).
+      id-token: write
     env:
       WAREHOUSE: ${{ matrix.warehouse-type }}
       MAX_AGE_HOURS: ${{ inputs.max-age-hours || '24' }}
@@ -43,6 +46,13 @@ jobs:
             exit 1
           fi
 
+      - name: Configure AWS credentials
+        if: matrix.warehouse-type == 'athena'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          aws-region: eu-west-1
+
       - name: Checkout dbt package
         uses: actions/checkout@v6
         with:
diff --git a/.github/workflows/test-all-warehouses.yml b/.github/workflows/test-all-warehouses.yml
@@ -138,6 +138,10 @@ jobs:
     needs: [check-fork-status, approve-fork]
     permissions:
       contents: read
+      # Required so the called test-warehouse.yml can mint an OIDC token to
+      # assume the AWS role (only used for the athena matrix entry); per
+      # GitHub, id-token: write must be granted by the calling workflow.
+      id-token: write
     if: |
       ! cancelled() &&
       needs.check-fork-status.result == 'success' &&
diff --git a/.github/workflows/test-warehouse.yml b/.github/workflows/test-warehouse.yml
@@ -63,6 +63,8 @@ jobs:
     timeout-minutes: 60
     permissions:
       contents: read
+      # Mint an OIDC token to assume the shared elementary-oss AWS role.
+      id-token: write
     env:
       WAREHOUSE: ${{ inputs.warehouse-type }}
       DBT_VERSION: ${{ inputs.dbt-version }}
@@ -85,6 +87,13 @@ jobs:
           path: dbt-data-reliability
           ref: ${{ inputs.dbt-data-reliability-ref }}
 
+      - name: Configure AWS credentials
+        if: inputs.warehouse-type == 'athena'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          aws-region: eu-west-1
+
       - name: Start Postgres
         if: inputs.warehouse-type == 'postgres'
         working-directory: ${{ env.TESTS_DIR }}
diff --git a/integration_tests/profiles/profiles.yml.j2 b/integration_tests/profiles/profiles.yml.j2
@@ -177,8 +177,7 @@
       region_name: {{ athena_region | toyaml }}
       database: awsdatacatalog
       schema: {{ schema }}
-      aws_access_key_id: {{ athena_aws_access_key_id | toyaml }}
-      aws_secret_access_key: {{ athena_aws_secret_access_key | toyaml }}
+      work_group: oss_tests
       threads: 4
 {%- endmacro %}
 
