Switch to using a role for CI (#348)

* switch to using a role for integrated tests

* separate python

* setup permision&test against CI_PubSub_Role

* test against iot account

* update host

* test host

* use a ci job role for test

* update role permission

* update tests to use host argument

* quick run discovery test

* quick test for gg discovery

* migrate gg discovery test

* more comments

---------

Co-authored-by: Vera Xia <[email protected]>

Author: sbSteveK

.github/workflows/ci.yml

@@ -8,8 +8,8 @@ on:
 
 env:
   RUN: ${{ github.run_id }}-${{ github.run_number }}
-  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  AWS_DEFAULT_REGION: us-east-1
+  CI_SDK_V1_ROLE: arn:aws:iam::180635532705:role/CI_SDK_V1_ROLE
   PACKAGE_NAME: aws-iot-device-sdk-python
   AWS_EC2_METADATA_DISABLED: true
 
@@ -33,6 +33,9 @@ jobs:
 
   integration-tests:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read # This is required for actions/checkout
     strategy:
       fail-fast: false
       matrix:
@@ -43,6 +46,10 @@ jobs:
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
+      - uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_SDK_V1_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
       - name: Integration tests
         run: |
           pip install pytest

.github/workflows/handle-stale-discussions.yml

@@ -1,18 +1,19 @@
 name: HandleStaleDiscussions
 on:
-schedule:
-- cron: '0 */4 * * *'
-discussion_comment:
-types: [created]
+  schedule:
+    - cron: '0 */4 * * *'
+  discussion_comment:
+    types: [created]
 
 jobs:
-handle-stale-discussions:
-name: Handle stale discussions
-runs-on: ubuntu-latest
-permissions:
-  discussions: write
-steps:
-  - name: Stale discussions action
-    uses: aws-github-ops/handle-stale-discussions@v1
-    env:
-      GITHUB_TOKEN:  ${{secrets.GITHUB_TOKEN}}
+  handle-stale-discussions:
+    name: Handle stale discussions
+    runs-on: ubuntu-latest
+    permissions:
+      discussions: write
+    steps:
+      - name: Stale discussions action
+        uses: aws-github-ops/handle-stale-discussions@v1
+        env:
+          GITHUB_TOKEN:  ${{secrets.GITHUB_TOKEN}}
+          

test-integration/IntegrationTests/IntegrationTestAsyncAPIGeneralNotificationCallbacks.py

@@ -32,7 +32,6 @@
 TOPIC = "topic/test/async_cb/"
 MESSAGE_PREFIX = "MagicMessage-"
 NUMBER_OF_PUBLISHES = 3
-HOST = "ajje7lpljulm4-ats.iot.us-east-1.amazonaws.com"
 ROOT_CA = "./test-integration/Credentials/rootCA.crt"
 CERT = "./test-integration/Credentials/certificate.pem.crt"
 KEY = "./test-integration/Credentials/privateKey.pem.key"
@@ -102,9 +101,10 @@ def get_random_string(length):
 ############################################################################
 # Main #
 # Check inputs
-my_check_in_manager = checkInManager(1)
+my_check_in_manager = checkInManager(2)
 my_check_in_manager.verify(sys.argv)
 mode = my_check_in_manager.mode
+host = my_check_in_manager.host
 
 skip_when_match(ModeIsALPN(mode).And(
     Python2VersionLowerThan((2, 7, 10)).Or(Python3VersionLowerThan((3, 5, 0)))
@@ -115,7 +115,7 @@ def get_random_string(length):
 print("Connecting...")
 callback_manager = CallbackManager()
 sdk_mqtt_client = MQTTClientManager()\
-    .create_nonconnected_mqtt_client(mode, CLIENT_ID, HOST, (ROOT_CA, CERT, KEY), callback_manager)
+    .create_nonconnected_mqtt_client(mode, CLIENT_ID, host, (ROOT_CA, CERT, KEY), callback_manager)
 sdk_mqtt_client.connectAsync(keepAliveIntervalSecond=1, ackCallback=callback_manager.connack)  # Add callback
 print("Wait some time to make sure we are connected...")
 time.sleep(10)  # 10 sec

test-integration/IntegrationTests/IntegrationTestAutoReconnectResubscribe.py

@@ -135,14 +135,14 @@ def threadBRuntime(self, pyCoreClient, callback):
 ############################################################################
 # Main #
 # Check inputs
-myCheckInManager = checkInManager.checkInManager(1)
+myCheckInManager = checkInManager.checkInManager(2)
 myCheckInManager.verify(sys.argv)
 
-host = "ajje7lpljulm4-ats.iot.us-east-1.amazonaws.com"
 rootCA = "./test-integration/Credentials/rootCA.crt"
 certificate = "./test-integration/Credentials/certificate.pem.crt"
 privateKey = "./test-integration/Credentials/privateKey.pem.key"
 mode = myCheckInManager.mode
+host = myCheckInManager.host
 
 skip_when_match(ModeIsALPN(mode).And(
     Python2VersionLowerThan((2, 7, 10)).Or(Python3VersionLowerThan((3, 5, 0)))

test-integration/IntegrationTests/IntegrationTestClientReusability.py

@@ -40,7 +40,6 @@
 NUMBER_OF_MESSAGES_PER_LOOP = 3
 NUMBER_OF_LOOPS = 3
 SUB_WAIT_TIME_OUT_SEC = 20
-HOST = "ajje7lpljulm4-ats.iot.us-east-1.amazonaws.com"
 ROOT_CA = "./test-integration/Credentials/rootCA.crt"
 CERT = "./test-integration/Credentials/certificate.pem.crt"
 KEY = "./test-integration/Credentials/privateKey.pem.key"
@@ -94,19 +93,20 @@ def verify(self):
 
 ############################################################################
 # Main #
-my_check_in_manager = checkInManager(1)
+my_check_in_manager = checkInManager(2)
 my_check_in_manager.verify(sys.argv)
 mode = my_check_in_manager.mode
+host = my_check_in_manager.host
 
 skip_when_match(ModeIsALPN(mode).And(
     Python2VersionLowerThan((2, 7, 10)).Or(Python3VersionLowerThan((3, 5, 0)))
 ), "This test is not applicable for mode %s and Python verison %s. Skipping..." % (mode, sys.version_info[:3]))
 
 simple_thread_manager = simpleThreadManager()
 
-client_pub = MQTTClientManager().create_nonconnected_mqtt_client(mode, CLIENT_ID_PUB, HOST, (ROOT_CA, CERT, KEY))
+client_pub = MQTTClientManager().create_nonconnected_mqtt_client(mode, CLIENT_ID_PUB, host, (ROOT_CA, CERT, KEY))
 print("Client publisher initialized.")
-client_sub = MQTTClientManager().create_nonconnected_mqtt_client(mode, CLIENT_ID_SUB, HOST, (ROOT_CA, CERT, KEY))
+client_sub = MQTTClientManager().create_nonconnected_mqtt_client(mode, CLIENT_ID_SUB, host, (ROOT_CA, CERT, KEY))
 print("Client subscriber initialized.")
 client_twins = ClientTwins(client_pub, client_sub)
 print("Client twins initialized.")

test-integration/IntegrationTests/IntegrationTestConfigurablePublishMessageQueueing.py

@@ -274,10 +274,10 @@ def performConfigurableOfflinePublishQueueTest(clientPub, clientSub):
 
 
 # Check inputs
-myCheckInManager = checkInManager.checkInManager(1)
+myCheckInManager = checkInManager.checkInManager(2)
 myCheckInManager.verify(sys.argv)
 
-host = "ajje7lpljulm4-ats.iot.us-east-1.amazonaws.com"
+host = myCheckInManager.host
 rootCA = "./test-integration/Credentials/rootCA.crt"
 certificate = "./test-integration/Credentials/certificate.pem.crt"
 privateKey = "./test-integration/Credentials/privateKey.pem.key"

test-integration/IntegrationTests/IntegrationTestDiscovery.py

@@ -8,13 +8,13 @@
 from TestToolLibrary.skip import ModeIsWebSocket
 
 
-HOST = "arc9d2oott9lj-ats.iot.us-east-1.amazonaws.com"  # <[email protected]> 003261610643
 PORT = 8443
 CA = "./test-integration/Credentials/rootCA.crt"
 CERT = "./test-integration/Credentials/certificate_drs.pem.crt"
 KEY = "./test-integration/Credentials/privateKey_drs.pem.key"
 TIME_OUT_SEC = 30
 # This is a pre-generated test data from DRS integration tests
+# The test resources point to account # <[email protected]> 003261610643
 ID_PREFIX = "Id-"
 GGC_ARN = "arn:aws:iot:us-east-1:003261610643:thing/DRS_GGC_0kegiNGA_0"
 GGC_PORT_NUMBER_BASE = 8080
@@ -108,10 +108,14 @@
 }
 '''
 
+my_check_in_manager = checkInManager(2)
+my_check_in_manager.verify(sys.argv)
+mode = my_check_in_manager.mode
+host = my_check_in_manager.host
 
 def create_discovery_info_provider():
     discovery_info_provider = DiscoveryInfoProvider()
-    discovery_info_provider.configureEndpoint(HOST, PORT)
+    discovery_info_provider.configureEndpoint(host, PORT)
     discovery_info_provider.configureCredentials(CA, CERT, KEY)
     discovery_info_provider.configureTimeout(TIME_OUT_SEC)
     return discovery_info_provider
@@ -196,9 +200,6 @@ def verify_group_object(discovery_info):
 
 ############################################################################
 # Main #
-my_check_in_manager = checkInManager(1)
-my_check_in_manager.verify(sys.argv)
-mode = my_check_in_manager.mode
 
 skip_when_match(ModeIsWebSocket(mode), "This test is not applicable for mode: %s. Skipping..." % mode)
 

test-integration/IntegrationTests/IntegrationTestJobsClient.py

@@ -154,10 +154,10 @@ def _test_send_response_confirm(self, sendResult):
 ############################################################################
 # Main #
 # Check inputs
-myCheckInManager = checkInManager.checkInManager(1)
+myCheckInManager = checkInManager.checkInManager(2)
 myCheckInManager.verify(sys.argv)
 
-host = "ajje7lpljulm4-ats.iot.us-east-1.amazonaws.com"
+host = myCheckInManager.host
 rootCA = "./test-integration/Credentials/rootCA.crt"
 certificate = "./test-integration/Credentials/certificate.pem.crt"
 privateKey = "./test-integration/Credentials/privateKey.pem.key"

test-integration/IntegrationTests/IntegrationTestMQTTConnection.py

@@ -84,10 +84,10 @@ def _performPublish(self, pyCoreClient, topic, qos, payload):
 ############################################################################
 # Main #
 # Check inputs
-myCheckInManager = checkInManager.checkInManager(2)
+myCheckInManager = checkInManager.checkInManager(3)
 myCheckInManager.verify(sys.argv)
 
-host = "ajje7lpljulm4-ats.iot.us-east-1.amazonaws.com"
+host = myCheckInManager.host
 rootCA = "./test-integration/Credentials/rootCA.crt"
 certificate = "./test-integration/Credentials/certificate.pem.crt"
 privateKey = "./test-integration/Credentials/privateKey.pem.key"

test-integration/IntegrationTests/IntegrationTestOfflineQueueingForSubscribeUnsubscribe.py

@@ -47,7 +47,6 @@ def get_random_string(length):
 TOPIC_B = "topic/test/offline_sub_unsub/b" + get_random_string(4)
 MESSAGE_PREFIX = "MagicMessage-"
 NUMBER_OF_PUBLISHES = 3
-HOST = "ajje7lpljulm4-ats.iot.us-east-1.amazonaws.com"
 ROOT_CA = "./test-integration/Credentials/rootCA.crt"
 CERT = "./test-integration/Credentials/certificate.pem.crt"
 KEY = "./test-integration/Credentials/privateKey.pem.key"
@@ -74,7 +73,7 @@ def __init__(self, mode):
         time.sleep(2)  # Make sure the subscription is valid
 
     def _create_connected_client(self, id_prefix):
-        return MQTTClientManager().create_connected_mqtt_client(self.__mode, id_prefix, HOST, (ROOT_CA, CERT, KEY))
+        return MQTTClientManager().create_connected_mqtt_client(self.__mode, id_prefix, host, (ROOT_CA, CERT, KEY))
 
     def start(self):
         thread_client_sub_unsub = Thread(target=self._thread_client_sub_unsub_runtime)
@@ -192,9 +191,10 @@ def verify(self):
 ############################################################################
 # Main #
 # Check inputs
-my_check_in_manager = checkInManager(1)
+my_check_in_manager = checkInManager(2)
 my_check_in_manager.verify(sys.argv)
 mode = my_check_in_manager.mode
+host = my_check_in_manager.host
 
 skip_when_match(ModeIsALPN(mode).And(
     Python2VersionLowerThan((2, 7, 10)).Or(Python3VersionLowerThan((3, 5, 0)))

test-integration/IntegrationTests/IntegrationTestProgressiveBackoff.py

@@ -220,11 +220,11 @@ def verifyBackoffTime(answerList, resultList):
 ############################################################################
 # Main #
 # Check inputs
-myCheckInManager = checkInManager.checkInManager(2)
+myCheckInManager = checkInManager.checkInManager(3)
 myCheckInManager.verify(sys.argv)
 
 #host via describe-endpoint on this OdinMS: com.amazonaws.iot.device.sdk.credentials.testing.websocket
-host = "ajje7lpljulm4-ats.iot.us-east-1.amazonaws.com"
+host = myCheckInManager.host
 rootCA = "./test-integration/Credentials/rootCA.crt"
 certificate = "./test-integration/Credentials/certificate.pem.crt"
 privateKey = "./test-integration/Credentials/privateKey.pem.key"

test-integration/IntegrationTests/IntegrationTestShadow.py

@@ -150,10 +150,10 @@ def randomString(lengthOfString):
 ############################################################################
 # Main #
 # Check inputs
-myCheckInManager = checkInManager.checkInManager(2)
+myCheckInManager = checkInManager.checkInManager(3)
 myCheckInManager.verify(sys.argv)
 
-host = "ajje7lpljulm4-ats.iot.us-east-1.amazonaws.com"
+host = myCheckInManager.host
 rootCA = "./test-integration/Credentials/rootCA.crt"
 certificate = "./test-integration/Credentials/certificate.pem.crt"
 privateKey = "./test-integration/Credentials/privateKey.pem.key"

test-integration/IntegrationTests/TestToolLibrary/checkInManager.py

@@ -7,12 +7,14 @@ class checkInManager:
     def __init__(self, numberOfInputParameters):
         self._numberOfInputParameters = numberOfInputParameters
         self.mode = None
+        self.host = None
         self.customParameter = None
 
     def verify(self, args):
         # Check if we got the correct command line params
         if len(args) != self._numberOfInputParameters + 1:
             exit(4)
         self.mode = str(args[1])
-        if self._numberOfInputParameters + 1 > 2:
-            self.customParameter = int(args[2])
+        self.host = str(args[2])
+        if self._numberOfInputParameters + 1 > 3:
+            self.customParameter = int(args[3])

test-integration/run/run.sh

@@ -33,14 +33,14 @@
 # Define const
 USAGE="usage: run.sh <testMode> <NumberOfMQTTMessages> <LengthOfShadowRandomString> <NumberOfNetworkFailure>"
 
-AWSMutualAuth_TodWorker_private_key="arn:aws:secretsmanager:us-east-1:123124136734:secret:V1IotSdkIntegrationTestPrivateKey-vNUQU8"
-AWSMutualAuth_TodWorker_certificate="arn:aws:secretsmanager:us-east-1:123124136734:secret:V1IotSdkIntegrationTestCertificate-vTRwjE"
+UnitTestHostArn="arn:aws:secretsmanager:us-east-1:180635532705:secret:unit-test/endpoint-HSpeEu"
+GreenGrassHostArn="arn:aws:secretsmanager:us-east-1:180635532705:secret:ci/greengrassv1/endpoint-DgM00X"
 
-AWSGGDiscovery_TodWorker_private_key="arn:aws:secretsmanager:us-east-1:123124136734:secret:V1IotSdkIntegrationTestGGDiscoveryPrivateKey-YHQI1F"
-AWSGGDiscovery_TodWorker_certificate="arn:aws:secretsmanager:us-east-1:123124136734:secret:V1IotSdkIntegrationTestGGDiscoveryCertificate-TwlAcS"
+AWSMutualAuth_TodWorker_private_key="arn:aws:secretsmanager:us-east-1:180635532705:secret:ci/mqtt5/us/Mqtt5Prod/key-kqgyvf"
+AWSMutualAuth_TodWorker_certificate="arn:aws:secretsmanager:us-east-1:180635532705:secret:ci/mqtt5/us/Mqtt5Prod/cert-VDI1Gd"
 
-AWSSecretForWebsocket_TodWorker_KeyId="arn:aws:secretsmanager:us-east-1:123124136734:secret:V1IotSdkIntegrationTestWebsocketAccessKeyId-1YdB9z"
-AWSSecretForWebsocket_TodWorker_SecretKey="arn:aws:secretsmanager:us-east-1:123124136734:secret:V1IotSdkIntegrationTestWebsocketSecretAccessKey-MKTSaV"
+AWSGGDiscovery_TodWorker_private_key="arn:aws:secretsmanager:us-east-1:180635532705:secret:V1IotSdkIntegrationTestGGDiscoveryPrivateKey-BsLvNP"
+AWSGGDiscovery_TodWorker_certificate="arn:aws:secretsmanager:us-east-1:180635532705:secret:V1IotSdkIntegrationTestGGDiscoveryCertificate-DSwdhA"
 
 
 SDKLocation="./AWSIoTPythonSDK"
@@ -49,6 +49,8 @@ CREDENTIAL_DIR="./test-integration/Credentials/"
 TEST_DIR="./test-integration/IntegrationTests/"
 CA_CERT_URL="https://www.amazontrust.com/repository/AmazonRootCA1.pem"
 CA_CERT_PATH=${CREDENTIAL_DIR}rootCA.crt
+TestHost=$(python ${RetrieveAWSKeys} ${UnitTestHostArn})
+GreengrassHost=$(python ${RetrieveAWSKeys} ${GreenGrassHostArn})
 
 
 
@@ -82,11 +84,7 @@ else
     	  python ${RetrieveAWSKeys} ${AWSDRSName_certificate} > ${CREDENTIAL_DIR}certificate_drs.pem.crt
     	  python ${RetrieveAWSKeys} ${AWSDRSName_privatekey} > ${CREDENTIAL_DIR}privateKey_drs.pem.key
     elif [ "$1"x == "Websocket"x ]; then
-    	  ACCESS_KEY_ID_ARN=$(python ${RetrieveAWSKeys} ${AWSSecretForWebsocket_TodWorker_KeyId})
-        ACCESS_SECRET_KEY_ARN=$(python ${RetrieveAWSKeys} ${AWSSecretForWebsocket_TodWorker_SecretKey})
         TestMode="Websocket"
-        export AWS_ACCESS_KEY_ID=${ACCESS_KEY_ID_ARN}
-        export AWS_SECRET_ACCESS_KEY=${ACCESS_SECRET_KEY_ARN}
         curl -s "${CA_CERT_URL}" > ${CA_CERT_PATH}
         echo -e "URL retrieved certificate data\n"
     elif [ "$1"x == "ALPN"x ]; then
@@ -115,11 +113,11 @@ else
     echo "***************************************************"
     for file in `ls ${TEST_DIR}`
     do
-        # if [ ${file}x == "IntegrationTestMQTTConnection.py"x ]; then
         if [ ${file##*.}x == "py"x ]; then
             echo "[SUB] Running test: ${file}..."
-
+            
             Scale=10
+            Host=TestHost
             case "$file" in
                 "IntegrationTestMQTTConnection.py") Scale=$2
                 ;;
@@ -131,7 +129,8 @@ else
                 ;;
                 "IntegrationTestConfigurablePublishMessageQueueing.py") Scale=""
                 ;;
-                "IntegrationTestDiscovery.py") Scale=""
+                "IntegrationTestDiscovery.py") Scale="" 
+                Host=${GreengrassHost}
                 ;;
                 "IntegrationTestAsyncAPIGeneralNotificationCallbacks.py") Scale=""
                 ;;
@@ -142,7 +141,7 @@ else
                 "IntegrationTestJobsClient.py") Scale=""
             esac
 
-            python ${TEST_DIR}${file} ${TestMode} ${Scale}
+            python ${TEST_DIR}${file} ${TestMode} ${TestHost} ${Scale}
             currentTestStatus=$?
             echo "[SUB] Test: ${file} completed. Exiting with status: ${currentTestStatus}"
             if [ ${currentTestStatus} -ne 0 ]; then