From eb7d4a5b396b7e52f7eae3169bf64a5ec23d4962 Mon Sep 17 00:00:00 2001
From: Thomas Sibley <tsibley@fredhutch.org>
Date: Mon, 20 May 2024 16:47:18 -0700
Subject: [PATCH] pathogen-repo-build: Run `aws sts get-caller-identity` after
 acquiring credentials

Very helpful for troubleshooting when looking at logs.

Note that when using the AWS Batch runtime the credential identity will
only be emitted for the initial job submission, not subsequent wait-N
jobs.  This seems fine.
---
 .github/workflows/pathogen-repo-build.yaml    | 3 +++
 .github/workflows/pathogen-repo-build.yaml.in | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/pathogen-repo-build.yaml b/.github/workflows/pathogen-repo-build.yaml
index c0e6329..0960083 100644
--- a/.github/workflows/pathogen-repo-build.yaml
+++ b/.github/workflows/pathogen-repo-build.yaml
@@ -279,6 +279,7 @@ jobs:
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           role-to-assume: ${{ secrets.AWS_ACCESS_KEY_ID == '' && steps.role.outputs.arn || '' }}
           role-duration-seconds: 43200 # seconds, or 12 hours
+      - run: aws sts get-caller-identity
       - name: Save runtime AWS credentials to ${{ env.NEXTSTRAIN_RUNTIME_ENVDIR }}
         run: |
           "$NEXTSTRAIN_GITHUB_DIR"/bin/write-envdir "$NEXTSTRAIN_RUNTIME_ENVDIR" \
@@ -298,6 +299,8 @@ jobs:
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           role-to-assume: ${{ secrets.AWS_ACCESS_KEY_ID == '' && 'arn:aws:iam::827581582529:role/GitHubActionsRoleNextstrainBatchJobs' || '' }}
           role-duration-seconds: 43200 # seconds, or 12 hours
+      - if: inputs.runtime == 'aws-batch'
+        run: aws sts get-caller-identity
       - name: Setup runtime ${{ inputs.runtime }}
         uses: ./.git/nextstrain/.github/actions/setup-nextstrain-cli
         with:
diff --git a/.github/workflows/pathogen-repo-build.yaml.in b/.github/workflows/pathogen-repo-build.yaml.in
index b9f2137..0a961c5 100644
--- a/.github/workflows/pathogen-repo-build.yaml.in
+++ b/.github/workflows/pathogen-repo-build.yaml.in
@@ -243,6 +243,7 @@ jobs:
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           role-to-assume: ${{ secrets.AWS_ACCESS_KEY_ID == '' && steps.role.outputs.arn || '' }}
           role-duration-seconds: 43200 # seconds, or 12 hours
+      - run: aws sts get-caller-identity
 
       - name: Save runtime AWS credentials to ${{ env.NEXTSTRAIN_RUNTIME_ENVDIR }}
         run: |
@@ -265,6 +266,8 @@ jobs:
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           role-to-assume: ${{ secrets.AWS_ACCESS_KEY_ID == '' && 'arn:aws:iam::827581582529:role/GitHubActionsRoleNextstrainBatchJobs' || '' }}
           role-duration-seconds: 43200 # seconds, or 12 hours
+      - if: inputs.runtime == 'aws-batch'
+        run: aws sts get-caller-identity
 
       - &setup-runtime
         name: Setup runtime ${{ inputs.runtime }}