Skip to content

Commit

Permalink
Check that grants were granted/revoked correctly.
Browse files Browse the repository at this point in the history
  • Loading branch information
@ggreer
ggreer committed Feb 12, 2024
1 parent 6b431d6 commit 3235f54
Showing 1 changed file with 25 additions and 0 deletions.
25 changes: 25 additions & 0 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,13 +52,38 @@ jobs:
BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: ./baton-aws
- name: Checkout baton-aws
uses: actions/checkout@v3
with:
repository: ConductorOne/baton
ref: main
path: ./baton
- name: Build baton
working-directory: ./baton
run: go build ./cmd/baton
- name: Check for grant before revoking
run: ./baton/baton grants --entitlement='group:arn:aws:iam::425848093043:group/ci-test-group:member' --output-format=json | jq --exit-status '.grants[].principal.id.resource == "arn:aws:iam::425848093043:user/ci-test-user"'
- name: Revoke grants
env:
BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: ./baton-aws --revoke-grant 'group:arn:aws:iam::425848093043:group/ci-test-group:member:iam_user:arn:aws:iam::425848093043:user/ci-test-user'
- name: Run baton-aws to get new state
env:
BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: ./baton-aws
- name: Check grant was revoked
run: ./baton/baton grants --entitlement='group:arn:aws:iam::425848093043:group/ci-test-group:member' --output-format=json | jq --exit-status '.grants[].principal.id.resource != "arn:aws:iam::425848093043:user/ci-test-user"'
- name: Grant entitlements
env:
BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: ./baton-aws --grant-entitlement 'group:arn:aws:iam::425848093043:group/ci-test-group:member' --grant-principal 'arn:aws:iam::425848093043:user/ci-test-user' --grant-principal-type 'iam_user'
- name: Run baton-aws to get new state
env:
BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: ./baton-aws
- name: Check grant was re-granted
run: ./baton/baton grants --entitlement='group:arn:aws:iam::425848093043:group/ci-test-group:member' --output-format=json | jq --exit-status '.grants[].principal.id.resource == "arn:aws:iam::425848093043:user/ci-test-user"'

0 comments on commit 3235f54

Please sign in to comment.