From ccc74c08992b2018f22e1dc5b2990c6c3b0ebe35 Mon Sep 17 00:00:00 2001
From: Itamar Hartstein <haritamar@gmail.com>
Date: Sun, 26 Apr 2026 20:01:02 +0300
Subject: [PATCH 1/2] ci: drop static AWS keys from athena profile, use
 workgroup (CORE-687)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The integration_tests dbt-athena profile is rendered with static
aws_access_key_id / aws_secret_access_key sourced from
CI_WAREHOUSE_SECRETS. Drop those — boto3 picks up the role credentials
exported by aws-actions/configure-aws-credentials in the calling
workflow (cleanup-stale-schemas.yml in elementary-cli) — and pin the
profile to the dedicated oss_tests Athena workgroup so query result
output and encryption are workgroup-enforced.

Mirrors the matching change in elementary-cli/tests/profiles/profiles.yml.j2.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 integration_tests/profiles/profiles.yml.j2 | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/integration_tests/profiles/profiles.yml.j2 b/integration_tests/profiles/profiles.yml.j2
index aa16ba97e..a081ebf8b 100644
--- a/integration_tests/profiles/profiles.yml.j2
+++ b/integration_tests/profiles/profiles.yml.j2
@@ -177,8 +177,7 @@
       region_name: {{ athena_region | toyaml }}
       database: awsdatacatalog
       schema: {{ schema }}
-      aws_access_key_id: {{ athena_aws_access_key_id | toyaml }}
-      aws_secret_access_key: {{ athena_aws_secret_access_key | toyaml }}
+      work_group: oss_tests
       threads: 4
 {%- endmacro %}
 

From 85c14679871222fbcd813c7dc91bc9f5782e63a8 Mon Sep 17 00:00:00 2001
From: Itamar Hartstein <haritamar@gmail.com>
Date: Sun, 26 Apr 2026 20:23:48 +0300
Subject: [PATCH 2/2] ci: assume shared AWS OIDC role for athena (CORE-687)

elementary-cli and dbt-data-reliability share a single IAM role
(github-actions-elementary-oss) provisioned in elementary-internal.
This change wires up the dbt-data-reliability side:

- test-warehouse.yml: add id-token: write at job level + a
  configure-aws-credentials step gated on inputs.warehouse-type ==
  'athena'.
- cleanup-stale-schemas.yml: add id-token: write at job level + a
  configure-aws-credentials step gated on matrix.warehouse-type ==
  'athena' (only the athena matrix entry needs AWS).
- test-all-warehouses.yml: grant id-token: write to the test-cloud
  caller job, since it calls test-warehouse.yml as a reusable workflow
  and GitHub requires id-token: write to be granted by the caller.

Pairs with the profile-template change in this same branch
(integration_tests/profiles/profiles.yml.j2: drop static AWS keys,
add work_group: oss_tests). Requires AWS_OIDC_ROLE_ARN to be set as
a repo secret with the role ARN exported by the matching
elementary-internal Terraform PR.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/cleanup-stale-schemas.yml | 10 ++++++++++
 .github/workflows/test-all-warehouses.yml   |  4 ++++
 .github/workflows/test-warehouse.yml        |  9 +++++++++
 3 files changed, 23 insertions(+)

diff --git a/.github/workflows/cleanup-stale-schemas.yml b/.github/workflows/cleanup-stale-schemas.yml
index 899ffa58c..0c2bfcc12 100644
--- a/.github/workflows/cleanup-stale-schemas.yml
+++ b/.github/workflows/cleanup-stale-schemas.yml
@@ -22,6 +22,9 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      # Mint an OIDC token to assume the shared elementary-oss AWS role
+      # (used by the athena matrix entry below).
+      id-token: write
     env:
       WAREHOUSE: ${{ matrix.warehouse-type }}
       MAX_AGE_HOURS: ${{ inputs.max-age-hours || '24' }}
@@ -43,6 +46,13 @@ jobs:
             exit 1
           fi
 
+      - name: Configure AWS credentials
+        if: matrix.warehouse-type == 'athena'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          aws-region: eu-west-1
+
       - name: Checkout dbt package
         uses: actions/checkout@v6
         with:
diff --git a/.github/workflows/test-all-warehouses.yml b/.github/workflows/test-all-warehouses.yml
index 830438409..13d2da146 100644
--- a/.github/workflows/test-all-warehouses.yml
+++ b/.github/workflows/test-all-warehouses.yml
@@ -138,6 +138,10 @@ jobs:
     needs: [check-fork-status, approve-fork]
     permissions:
       contents: read
+      # Required so the called test-warehouse.yml can mint an OIDC token to
+      # assume the AWS role (only used for the athena matrix entry); per
+      # GitHub, id-token: write must be granted by the calling workflow.
+      id-token: write
     if: |
       ! cancelled() &&
       needs.check-fork-status.result == 'success' &&
diff --git a/.github/workflows/test-warehouse.yml b/.github/workflows/test-warehouse.yml
index 2ddbc7123..891db7e09 100644
--- a/.github/workflows/test-warehouse.yml
+++ b/.github/workflows/test-warehouse.yml
@@ -63,6 +63,8 @@ jobs:
     timeout-minutes: 60
     permissions:
       contents: read
+      # Mint an OIDC token to assume the shared elementary-oss AWS role.
+      id-token: write
     env:
       WAREHOUSE: ${{ inputs.warehouse-type }}
       DBT_VERSION: ${{ inputs.dbt-version }}
@@ -85,6 +87,13 @@ jobs:
           path: dbt-data-reliability
           ref: ${{ inputs.dbt-data-reliability-ref }}
 
+      - name: Configure AWS credentials
+        if: inputs.warehouse-type == 'athena'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          aws-region: eu-west-1
+
       - name: Start Postgres
         if: inputs.warehouse-type == 'postgres'
         working-directory: ${{ env.TESTS_DIR }}