-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use gh
nv-gha-aws
CLI extension to generate credentials
#392
Use gh
nv-gha-aws
CLI extension to generate credentials
#392
Conversation
…WS_ROLE_ARN is set
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice! looking forward to getting this rolled out.
left a few questions/comments.
. devcontainer-utils-init-github-cli; | ||
|
||
# Check whether the user is in one of the allowed GitHub orgs | ||
local allowed_orgs="${AWS_GITHUB_ORGS:-${VAULT_GITHUB_ORGS:-nvidia nv-morpheus nv-legate rapids}}"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason to hardcode this list?
The organization allow list is already defined in the AWS role policy. The gh nv-gha-aws
tool will throw an error if an organization that is not on this list attempts to get credentials.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This list is override-able via envvar, so the orgs here are just defaults. This list is compared against the user's orgs, then only the orgs for which the user is a member are attempted.
fi | ||
|
||
# Check whether the user is in one of the allowed GitHub orgs | ||
local allowed_orgs="${VAULT_GITHUB_ORGS:-nvidia nv-morpheus nv-legate rapids}"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same question about hardcoded orgs here.
nv-gha-aws
CLI extensionnv-gha-aws
to generate credentials ifAWS_ROLE_ARN
is set