Merge pull request #311 from Sage-Bionetworks-Workflows/WORKFLOWS-549…

…-remove-IAMusers [Workflows-549] Using IAM role in Tower to authenticate AWS services
Sage-Bionetworks-Workflows · Jun 10, 2024 · ee14403 · ee14403
2 parents da05be2 + 80dd558
commit ee14403
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/bin/configure-tower-projects.py b/bin/configure-tower-projects.py
@@ -528,16 +528,15 @@ def create_credentials(self) -> int:
                 assert cred["deleted"] is None
                 return cred["id"]
         # Otherwise, create a new credentials entry for the project
-        secret_arn = self.stack["TowerForgeServiceUserAccessKeySecretArn"]
+        secret_arn = self.stack["TowerRoleArn"]
         credentials = self.org.aws.get_secret_value(secret_arn)
         data = {
             "credentials": {
                 "name": self.stack_name,
                 "provider": "aws",
                 "keys": {
                     "accessKey": credentials["aws_access_key_id"],
-                    "secretKey": credentials["aws_secret_access_key"],
-                    "assumeRoleArn": self.stack["TowerForgeServiceRoleArn"],
+                    "assumeRoleArn": self.stack["TowerRoleArn"],
                 },
                 "description": f"Credentials for {self.stack_name}",
             }

diff --git a/templates/tower-project.j2 b/templates/tower-project.j2
@@ -288,6 +288,7 @@ Resources:
             - !GetAtt TowerForgeBatchHeadJobRole.Arn
             - !GetAtt TowerForgeBatchWorkJobRole.Arn
             - !GetAtt TowerForgeServiceRole.Arn
+            - !GetAtt TowerRole.Arn
             - !Join
               - ","
               - !Ref AccountAdminArns
@@ -374,6 +375,7 @@ Resources:
                 - !GetAtt TowerForgeServiceRole.Arn
                 - !GetAtt TowerForgeBatchHeadJobRole.Arn
                 - !GetAtt TowerForgeBatchWorkJobRole.Arn
+                - !GetAtt TowerRole.Arn
             Action:
               - "s3:GetBucketLocation"
               - "s3:ListBucket"
@@ -511,6 +513,7 @@ Resources:
                 - !GetAtt TowerForgeServiceRole.Arn
                 - !GetAtt TowerForgeBatchHeadJobRole.Arn
                 - !GetAtt TowerForgeBatchWorkJobRole.Arn
+                - !GetAtt TowerRole.Arn
             Action:
               - "s3:GetBucketLocation"
               - "s3:ListBucket"