Merge branch 'dev' into prod

Sage-Bionetworks-Workflows · Jun 28, 2023 · d9e726d · d9e726d
2 parents c5a7b28 + ce7e206
commit d9e726d
Show file tree

Hide file tree

Showing 36 changed files with 49 additions and 11 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -42,6 +42,7 @@ jobs:
       job-environment: "workflows-nextflow-dev"
       sceptre-suffix: "dev"
       tower-url: "https://tower-dev.sagebionetworks.org"
+      aws-role-to-assume: "arn:aws:iam::035458030717:role/sagebase-github-oidc-workflows-dev-nextflow-infra"
 
   deploy-prod:
     if: github.ref == 'refs/heads/prod'
@@ -53,6 +54,7 @@ jobs:
       job-environment: "workflows-nextflow-prod"
       sceptre-suffix: "prod"
       tower-url: "https://tower.sagebionetworks.org"
+      aws-role-to-assume: "arn:aws:iam::728882028485:role/sagebase-github-oidc-workflows-prod-nextflow-infra"
       aws-assume-role-duration: 14400
 
   deploy-ampad:
@@ -64,3 +66,4 @@ jobs:
       job-environment: "org-sagebase-strides-ampad-workflows"
       sceptre-suffix: "ampad"
       tower-url: "https://tower.sagebionetworks.org"
+      aws-role-to-assume: "arn:aws:iam::751556145034:role/github-oidc-nextflow-infra"
diff --git a/.github/workflows/rw-deploy.yaml b/.github/workflows/rw-deploy.yaml
@@ -11,6 +11,9 @@ on:
       tower-url:
         required: true
         type: string
+      aws-role-to-assume:
+        required: true
+        type: string
       aws-assume-role-duration:
         required: false
         type: number
@@ -20,6 +23,9 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     environment: ${{ inputs.job-environment }}
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
@@ -30,19 +36,18 @@ jobs:
           python-version: '3.10'
           cache: 'pipenv'
 
-      - name: Install pipenv
+      - name: Install python pipenv
         run: curl https://raw.githubusercontent.com/pypa/pipenv/master/get-pipenv.py | python
 
-      - name: Install dependencies
+      - name: Install python dependencies
         run: pipenv install --dev
 
       - name: Assume AWS role
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v2
         with:
-          aws-access-key-id: ${{ secrets.CI_USER_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.CI_USER_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
-          role-to-assume: ${{ secrets.CI_ROLE_TO_ASSUME }}
+          role-to-assume: ${{ inputs.aws-role-to-assume }}
+          role-session-name: GHA-${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}
           role-duration-seconds: ${{ inputs.aws-assume-role-duration }}
 
       - name: Deploy common configuration

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -76,7 +76,7 @@ There are two types of [stack group configurations](https://sceptre.cloudreach.c
 
 ### CI/CD
 
-[GitHub Actions](https://github.com/features/actions) are used for continuous integration and deployment (CI/CD). Currently, this repository is configured with a single workflow, [aws-deploy](.github/workflows/aws-deploy.yaml), which runs some lint checks and conditionally deploys the [stacks](#configuration) on pushes to the `main` branch.
+[GitHub Actions](https://github.com/features/actions) are used for continuous integration and deployment (CI/CD). Currently, this repository is configured with a single workflow, [rw-deploy](.github/workflows/rw-deploy.yaml), which runs some lint checks and conditionally deploys the [stacks](#configuration) on pushes to the `main` branch.
 
 The lint checks are defined as [pre-commit hooks](.pre-commit-config.yaml) and are partially configured by the [.yamllint](.yamllint) file. See [above](#setting-up-the-repository-for-development) for how to locally set up pre-commit hooks in Git to ensure that these checks are run before every commit.
 
@@ -106,13 +106,10 @@ After switching to a matrix strategy in the CI/CD workflow, all secrets are bein
 
 Our GitHub secrets are stored in [account-specific environments](https://github.com/Sage-Bionetworks-Workflows/nextflow-infra/settings/environments). These secrets contain AWS and Nextflow Tower credentials.
 
-The AWS credentials were bootstrapped in the [`organizations-infra`](https://github.com/Sage-Bionetworks-IT/organizations-infra/) repository. For `nextflow-dev` and `nextflow-prod`, look for `WorkflowsNextflowCIServiceAccounts` in [this file](https://github.com/Sage-Bionetworks-IT/organizations-infra/blob/master/org-formation/600-access/_tasks.yaml). For `strides-ampad`, look at [this file](https://github.com/Sage-Bionetworks-IT/organizations-infra/blob/master/sceptre/strides-ampad-workflows/config/prod/workflows-nextflow-ci-service-account.yaml). The secrets can be retrieved from the CloudFormation Console in the respective AWS accounts under the `workflows-nextflow-ci-service-account` stack.
+The Github OIDC for GH actions were bootstrapped in the [`organizations-infra`](https://github.com/Sage-Bionetworks-IT/organizations-infra/) repository. For `nextflow-dev` and `nextflow-prod`, look for `GithubOidcWorkflowsDevNextflowInfra` in [this file](https://github.com/Sage-Bionetworks-IT/organizations-infra/blob/master/org-formation/650-identity-providers/_tasks.yaml). For `strides-ampad`, look at [this file](https://github.com/Sage-Bionetworks-IT/organizations-infra/blob/master/sceptre/strides-ampad-workflows/config/prod/github-oidc-nextflow-infra.yaml).
 
 The Nextflow Tower credentials (_i.e._ access tokens) were created manually using the Google service accounts that we provisioned for creating the Google OAuth clients, `[email protected]` and `[email protected]`, respectively. The login info for these two Google accounts are stored in LastPass under the `Shared-IBC-DPE-Workflows` folder. Note that the `*-prod` and `*-ampad` stacks are configured to use the token associated with `[email protected]` whereas the `*-dev` stacks are configured to use the token associated with `[email protected]`.
 
-- `CI_USER_ACCESS_KEY_ID`: The AWS access key ID for authenticating as an IAM CI service user.
-- `CI_USER_SECRET_ACCESS_KEY`: The AWS secret access key for authenticating as an IAM CI service user.
-- `CI_ROLE_TO_ASSUME`: The ARN of the IAM role that will be assumed after authenticating with the above IAM user credentials.
 - `TOWER_TOKEN`: The Nextflow Tower access token that will be used to provision the Tower teams, workspaces, credentials, and compute environments.
 
 ### AWS Secrets

diff --git a/config/infra-ampad/workflows-kms-key.yaml b/config/infra-ampad/workflows-kms-key.yaml
@@ -7,6 +7,7 @@ parameters:
   AccountAdminArns:
     - {{stack_group_config.sso_admin_role.arn}}
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
 
 stack_tags:
   {{stack_group_config.default_stack_tags}}
diff --git a/config/infra-dev/nextflow-aurora-mysql.yaml b/config/infra-dev/nextflow-aurora-mysql.yaml
@@ -15,6 +15,7 @@ parameters:
   AccountAdminArns:
     - {{stack_group_config.sso_admin_role.arn}}
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-dev-nextflow-infra::ProviderRoleArn
 
 stack_tags:
   {{stack_group_config.default_stack_tags}}
diff --git a/config/infra-dev/smtp-credentials.yaml b/config/infra-dev/smtp-credentials.yaml
@@ -8,6 +8,7 @@ parameters:
   AccountAdminArns:
     - {{stack_group_config.sso_admin_role.arn}}
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-dev-nextflow-infra::ProviderRoleArn
 
 stack_tags:
   {{stack_group_config.default_stack_tags}}
diff --git a/config/infra-dev/workflows-kms-key.yaml b/config/infra-dev/workflows-kms-key.yaml
@@ -7,6 +7,7 @@ parameters:
   AccountAdminArns:
     - {{stack_group_config.sso_admin_role.arn}}
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-dev-nextflow-infra::ProviderRoleArn
 
 stack_tags:
   {{stack_group_config.default_stack_tags}}
diff --git a/config/infra-prod/nextflow-aurora-mysql.yaml b/config/infra-prod/nextflow-aurora-mysql.yaml
@@ -15,6 +15,7 @@ parameters:
   AccountAdminArns:
     - {{stack_group_config.sso_admin_role.arn}}
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
 
 stack_tags:
   {{stack_group_config.default_stack_tags}}
diff --git a/config/infra-prod/smtp-credentials.yaml b/config/infra-prod/smtp-credentials.yaml
@@ -8,6 +8,7 @@ parameters:
   AccountAdminArns:
     - {{stack_group_config.sso_admin_role.arn}}
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
 
 stack_tags:
   {{stack_group_config.default_stack_tags}}
diff --git a/config/infra-prod/workflows-kms-key.yaml b/config/infra-prod/workflows-kms-key.yaml
@@ -7,6 +7,7 @@ parameters:
   AccountAdminArns:
     - {{stack_group_config.sso_admin_role.arn}}
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
 
 stack_tags:
   {{stack_group_config.default_stack_tags}}
diff --git a/config/projects-ampad/agora-project.yaml b/config/projects-ampad/agora-project.yaml
@@ -16,6 +16,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-ampad/jared-hendrickson-project.yaml b/config/projects-ampad/jared-hendrickson-project.yaml
@@ -14,6 +14,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-ampad/strides-ampad-project.yaml b/config/projects-ampad/strides-ampad-project.yaml
@@ -16,6 +16,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-ampad/wei-an-chen-project.yaml b/config/projects-ampad/wei-an-chen-project.yaml
@@ -14,6 +14,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-dev/example-dev-project.yaml b/config/projects-dev/example-dev-project.yaml
@@ -14,6 +14,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-dev-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-dev/mc2-mcmicro-dev-project.yaml b/config/projects-dev/mc2-mcmicro-dev-project.yaml
@@ -12,6 +12,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-dev-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-dev/orca-dev-project.yaml b/config/projects-dev/orca-dev-project.yaml
@@ -13,6 +13,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-dev-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-dev/orca-service-test-project.yaml b/config/projects-dev/orca-service-test-project.yaml
@@ -14,6 +14,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-dev-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-dev/pec-dev-project.yaml b/config/projects-dev/pec-dev-project.yaml
@@ -13,6 +13,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-dev-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-prod/amp-ad-project.yaml b/config/projects-prod/amp-ad-project.yaml
@@ -12,6 +12,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-prod/ctf-swnts-project.yaml b/config/projects-prod/ctf-swnts-project.yaml
@@ -37,6 +37,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-prod/example-project.yaml b/config/projects-prod/example-project.yaml
@@ -44,6 +44,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-prod/genie-bpc-project.yaml b/config/projects-prod/genie-bpc-project.yaml
@@ -16,6 +16,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-prod/htan-project.yaml b/config/projects-prod/htan-project.yaml
@@ -18,6 +18,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-prod/iatlas-project.yaml b/config/projects-prod/iatlas-project.yaml
@@ -23,6 +23,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-prod/imcore-project.yaml b/config/projects-prod/imcore-project.yaml
@@ -13,6 +13,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-prod/jhu-biobank-nf-project.yaml b/config/projects-prod/jhu-biobank-nf-project.yaml
@@ -13,6 +13,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-prod/mc2-mcmicro-project.yaml b/config/projects-prod/mc2-mcmicro-project.yaml
@@ -21,6 +21,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-prod/nf-ntap5-biobank-jineta.yaml b/config/projects-prod/nf-ntap5-biobank-jineta.yaml
@@ -33,6 +33,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

diff --git a/config/projects-prod/nfri-ctf-nf1-project.yaml b/config/projects-prod/nfri-ctf-nf1-project.yaml
@@ -29,6 +29,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn