Replace IAM creds with role

Author: ziyiz-amzn

.github/workflows/deploy.yml

@@ -6,21 +6,22 @@ on:
       - main
       - 'release-**.x'
 
+permissions:
+  id-token: write   # This is required for requesting the JWT
+
 jobs:
   deploy:
     name: Deploy Demo App and Storybook
     runs-on: ubuntu-latest
     env:
       AWS_DEFAULT_REGION: us-east-1
       AWS_DEFAULT_OUTPUT: text
-      AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY}}
-      AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
     steps:
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME_SDK_DEV }}
+          role-session-name: deploy-react-demo-app
           aws-region: us-east-1
       - name: Checkout Package
         uses: actions/checkout@v2

.github/workflows/roster-integration.yml

@@ -13,6 +13,9 @@ env:
   SAUCE_USERNAME: ${{secrets.SAUCE_USERNAME}}
   SAUCE_ACCESS_KEY: ${{secrets.SAUCE_ACCESS_KEY}}
 
+permissions:
+  id-token: write   # This is required for requesting the JWT
+
 jobs:
   integ-roster:
     name: Roster Integration Test
@@ -31,10 +34,10 @@ jobs:
       - name: Echo Job ID
         run: echo "${{ steps.create-job-id.outputs.uuid }}"
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME_SDK_DEV }}
+          role-session-name: integ-test
           aws-region: us-east-1
       - name: Setup Sauce Connect
         uses: saucelabs/sauce-connect-action@v1