Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creation of AWSTemporaryCredentials to help with OIDC Federation via AssumeRoleWithWebIdentity #553

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

Creation of AWSTemporaryCredentials to help with OIDC Federation via AssumeRoleWithWebIdentity #553

wants to merge 4 commits into from

Conversation

ROunofF
Copy link

@ROunofF ROunofF commented May 7, 2024

Description

Create a new task AWSTemporaryCredentials that use the OIDC token to federate and get temporary AWS Credentials from STS service.

Motivation

This aligns with the security best practices of not storing static credential. Adding a task this way, allows it to be flexible and even reusable across non-aws tasks.

Related Issue(s), If Filed

#521
PR #550 is taking a different approach but would need all tasks to be modified

Testing

Checklist

  • I have read the README document
  • I have read the CONTRIBUTING document
  • My code follows the code style of this project
  • I have added tests to cover my changes
  • A short description of the change has been added to the changelog using the script npm run newChange

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@ROunofF
Copy link
Author

ROunofF commented May 7, 2024

Example pipeline, you add the AWSTemporaryCredentials first and the credentials are available in subsequent tasks, including non AWS tasks (see the Bash task for how to import the variable)

This could probably be added in the README?

steps:
    - task: AWSTemporaryCredentials@1
      displayName: 'Getting STS Credentials'
      inputs:
          azureSubscription: 'azuredo-poc'
          regionName: 'ca-central-1'
          assumeRole: arn:aws:iam:: 012345678901:role/azdo-s3-read

    - task: AWSShellScript@1
      displayName: 'AWS Shell script no awsCredentials'
      continueOnError: true
      inputs:
          regionName: 'ca-central-1'
          scriptType: inline
          inlineScript: |
              export
              aws sts get-caller-identity
              aws s3 ls
    - script: sudo apt-get install -y awscli
      displayName: Install AWS CLI # making sure we have the aws-cli for the non-aws task
    - task: Bash@3
      displayName: 'Using bash script task with regular export'
      continueOnError: true
      inputs:
          targetType: 'inline'
          script: |
              export AWS_ACCESS_KEY_ID=$(AWS.ACCESS_KEY_ID)
              export AWS_SECRET_ACCESS_KEY=$(AWS.SECRET_ACCESS_KEY)
              export AWS_SESSION_TOKEN=$(AWS.SESSION_TOKEN)
              aws s3 ls --region ca-central-1
    - task: AWSCLI@1
      displayName: 'via AWSCLI: Running aws-cli get-caller-identity '
      continueOnError: true
      inputs:
          regionName: 'ca-central-1'
          awsCommand: 'sts'
          awsSubCommand: 'get-caller-identity'

@rbbarad
Copy link
Contributor

rbbarad commented May 7, 2024

/retryBuild

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ROunofF @rbbarad