Use default credential chain for AWS creds #6166
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Heroku app: https://gyr-review-app-6166-4ead306714ea.herokuapp.com/ |
embarnard
changed the title
embarnard
commented
Jan 26, 2026
| HEROKU_DNS_AWS_ACCESS_KEY_ID=${{ secrets.HEROKU_DNS_AWS_ACCESS_KEY_ID }} \ | ||
| HEROKU_DNS_SECRET_ACCESS_KEY=${{ secrets.HEROKU_DNS_SECRET_ACCESS_KEY }} \ | ||
| HEROKU_PLATFORM_KEY=${{ secrets.HEROKU_PLATFORM_KEY }} | ||
| HEROKU_PLATFORM_KEY=${{ secrets.HEROKU_PLATFORM_KEY }} \ |
Contributor
Author
There was a problem hiding this comment.
setup our AWS creds in our heroku apps via github secrets
embarnard
commented
Jan 26, 2026
|
|
||
| def download_schemas_from_s3(dest_dir) | ||
| s3_client = Aws::S3::Client.new(region: REGION, credentials: s3_credentials) | ||
| s3_client = Aws::S3::Client.new(region: REGION) |
Contributor
Author
There was a problem hiding this comment.
using default chain instead of digging up creds in some places and finding them in the env variables in others. now it will always be in the app's env variables except locally
embarnard
commented
Jan 26, 2026
Contributor
Author
There was a problem hiding this comment.
see differences via:
bin/gyr credentials_diff --base main --environment demo
embarnard
commented
Jan 26, 2026
| let!(:first_breached_client) { | ||
| create :client, flagged_at: Time.now, vita_partner: vita_partner, | ||
| last_outgoing_communication_at: 7.business_days.ago, | ||
| create :client, flagged_at: time, vita_partner: vita_partner, |
Contributor
Author
There was a problem hiding this comment.
flakey test that was failing Friday after working hours
mpidcock
approved these changes
Jan 26, 2026
Member
mpidcock
left a comment
mpidcock
left a comment
There was a problem hiding this comment.
Love to see this, looks great
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Link to pivotal/JIRA issue
Is PM acceptance required? (delete one)
Reminder: merge main into this branch and get green tests before merging to main
What was done?
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYin the app's environment/config variables when creating a AWS::S3::Client automatically, before this change we had different approaches for different environments. We called the credentials from our creds file in demo/staging/prod but got them from our env variables in CircleCI. This change will unify our approach so that we just grab them from our env variables in all env except locally where we will have to sso into a profileaws sso login --profile gyr-non-prodHow to test?