Skip to content

feat(eks-ci): add the GitHub-OIDC CI role for the ksail EKS smoke test#4

Open
devantler wants to merge 4 commits into
mainfrom
claude/eks-ci-role
Open

feat(eks-ci): add the GitHub-OIDC CI role for the ksail EKS smoke test#4
devantler wants to merge 4 commits into
mainfrom
claude/eks-ci-role

Conversation

@devantler

@devantler devantler commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Engineer

Why

The ksail EKS smoke test still cannot run: the AWS-side identity it must assume does not exist yet. Step 1 (the GitHub OIDC provider) now reconciles on prod after the platform egress fix, which surfaced the exact provider ARN this role's trust policy requires.

What

Adds the eks-ci IAM role: trust locked to the ksail repo's ci environment via GitHub OIDC (no long-lived keys), a 2-hour session cap, and an inline least-privilege policy scoped to the smoke test's st-eks-*/eksctl-st-eks-* resource naming wherever IAM supports it. Once it reconciles, its ARN goes to the ksail ci environment as AWS_OIDC_ROLE_ARN (the workflow's activation gate — merging this creates the role but activates nothing in CI).

Part of devantler-tech/platform#2326 (child 2, step 2 of 2).

Merge order: devantler-tech/platform#2612 (activates the Policy managed-resource kind) must merge first, or the new permissions-boundary manifest sits pending; ksail#6082 then wires the boundary into the generated eks.yaml before the workflow's first dispatch.

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ce9566858c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread deploy/eks-ci/eks-ci-role.yaml Outdated
The EKS API's documented accessEntryArn uses the accessEntry/ segment while
the service authorization convention documents access-entry/; a non-matching
pattern grants nothing, so cover both to keep access-entry management working
for API-mode clusters.
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7417e4810d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread deploy/eks-ci/eks-ci-role.yaml
Comment thread deploy/eks-ci/eks-ci-role.yaml
…rovider lifecycle perms

Codex P1s on #4: (1) eksctl with iam.withOIDC needs Create/Delete/Tag
OpenIDConnectProvider — granted scoped to oidc-provider/oidc.eks.* so the
GitHub Actions provider stays untouchable; (2) iam:CreateRole is now
conditioned on the eks-ci-smoke-boundary permissions boundary (new Policy MR)
so a workflow assuming eks-ci cannot mint an unbounded role and pass it to
EC2 to escalate beyond the smoke-test scope.
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

Both P1s fixed at 8d57d5c (threads resolved with details); merge-order gates added to the body.

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. You're on a roll.

Reviewed commit: 8d57d5c5a3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@devantler devantler marked this pull request as ready for review July 13, 2026 06:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant