Skip to content
AAA - Policy Validation

AAA - Policy Validation #2324

Sign in to view logs

AAA - Policy Validation

AAA - Policy Validation #2324

Workflow file for this run

.github/workflows/policy_validation.yml at 63e0519
on:
schedule:
- cron: "0 6 * * *"
workflow_dispatch:
name: AAA - Policy Validation
concurrency:
group: policy-validation
cancel-in-progress: true
env:
project: "mamip"
jobs:
build:
name: AWS Access Analyzer - Policy Validation
permissions:
id-token: write
contents: write
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
- name: AWS IAM Assume Role
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ secrets.REGION }}
role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
role-duration-seconds: 1200
role-session-name: GH-Actions-${{ env.project }}-policy-validation
- name: Install python requirements
run: python3 -m pip install -r ./automation/requirements.txt
- name: Retrieve the list of current AWS Managed Policies
run: aws iam list-policies --scope AWS > policies-list.json
- name: AWS Access Analyzer - Policy Validation
run: python3 ./automation/validate-batch.py
- name: Commit and Push findings
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git config --local user.email "iamtrail-bot@noreply.github.com"
git config --local user.name "IAMTrail Policy Validation"
# Store our changes temporarily
git stash --include-untracked
# Sync with latest remote
git fetch origin master
git reset --hard origin/master
# Re-apply our changes
git stash pop || true
# Commit
git add ./findings
git add DEPRECATED.json
git add policies-list.json
git commit -m "AccessAnalyzer - Policy Validation" || exit 0
# Push with retry logic
for i in 1 2 3; do
git push https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git HEAD:master && break
echo "Push failed, retrying ($i/3)..."
sleep 5
git fetch origin master
git rebase origin/master -X theirs || git rebase --abort
done