From 88b53d810e92151729eb13c69b7e05501c38fe57 Mon Sep 17 00:00:00 2001
From: Thomas Kappler <tkappler@pulumi.com>
Date: Sun, 3 Dec 2023 18:39:10 +0100
Subject: [PATCH] [EXP] OIDC via direct provider config

---
 .github/workflows/run-acceptance-tests.yml | 14 +++++++-------
 examples/bucket/index.ts                   | 12 +++++++++++-
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml
index 68f9ad3c01f..ab1959444d1 100644
--- a/.github/workflows/run-acceptance-tests.yml
+++ b/.github/workflows/run-acceptance-tests.yml
@@ -502,13 +502,13 @@ jobs:
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         version: v2.4.0
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        aws-region: ${{ env.AWS_REGION }}
-        role-duration-seconds: 3600
-        role-session-name: ${{ env.PROVIDER }}@githubActions
-        role-to-assume: arn:aws:iam::894850187425:role/github-oidc
+    # - name: Configure AWS Credentials
+    #   uses: aws-actions/configure-aws-credentials@v4
+    #   with:
+    #     aws-region: ${{ env.AWS_REGION }}
+    #     role-duration-seconds: 3600
+    #     role-session-name: ${{ env.PROVIDER }}@githubActions
+    #     role-to-assume: arn:aws:iam::894850187425:role/github-oidc
     - name: Make upstream
       run: make upstream
     - name: Run tests
diff --git a/examples/bucket/index.ts b/examples/bucket/index.ts
index a4603bf7206..9b467f1503e 100644
--- a/examples/bucket/index.ts
+++ b/examples/bucket/index.ts
@@ -17,10 +17,20 @@ import * as pulumi from "@pulumi/pulumi";
 // https://github.com/pulumi/pulumi-aws/issues/772
 import { Bucket } from "@pulumi/aws/s3";
 import * as aws from "@pulumi/aws";
+import * as gh from "@actions/core";
 import * as s3 from "@aws-sdk/client-s3";
 
 const config = new pulumi.Config("aws");
-const providerOpts = { provider: new aws.Provider("prov", { region: <aws.Region>config.require("envRegion") }) };
+const providerOpts = {
+    provider: new aws.Provider("prov", {
+        region: <aws.Region>config.require("envRegion"),
+        assumeRoleWithWebIdentity: {
+            roleArn: process.env["OIDC_ROLE_ARN"],
+            webIdentityToken: gh.getIDToken("sts.amazonaws.com"),
+            sessionName: "pulumi-bucket",
+        },
+    })
+};
 
 const bucket = new Bucket("testbucket", {
     serverSideEncryptionConfiguration: {