Skip to content

v3.1.0 - AWS Web Identity Support using CIRCLE_OIDC token
Compare
Choose a tag to compare
@brivu brivu released this 21 Apr 20:37
· 32 commits to master since this release
v3.1.0
58d57db
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

What's Changed

This minor version update includes the following changes:

Added Commands

assume-role-with-web-identity - This command generates short lived AWS keys using OpenID Connect. You use an IAM OIDC identity provider to establish trust between CircleCI and your AWS account when running jobs. Creating a Web Identity based role-arn that's compatible with OpenID Connect in AWS IAM is required.

Added Features

setup command now includes assume-role-with-web-identity command. The setup command installs the aws cli and runs the assume-role-with-web-identity command if the role-session-id and role-arn parameters are passed. If not, a profile is configured with the AWS_SECRET_KEY_ID and AWS_SECRET_ACCESS_KEY that are passed as environment variables.

Added Parameters

assume-role-with-web-identity command has the following parameters

  • role-arn: The Amazon Resource Name (ARN) of the role that the caller is assuming. Role ARN must be configured for web identity in this command.
  • role-session-name: An identifier for the assumed role session. It must be less than 64 characters
  • session-duration: The duration of the session in seconds. It defaults to 3600 seconds (1 hour).
  • profile-name: The profile name to be configured with Web Identity

Usage Example

description: |
  Setup the AWS CLI and configure with Web Identity.
  Assume roles on AWS without storing keys on CircleCI and utilize short-term credentials instead.
  For more information, see the CircleCI OIDC docs: https://circleci.com/docs/2.0/openid-connect-tokens
usage:
  version: 2.1

  orbs:
    aws-cli: circleci/aws-cli@3.1

  jobs:
    aws-cli-example:
      executor: aws-cli/default
      steps:
        - checkout
        - aws-cli/setup:
            profile-name: WEB IDENTITY PROFILE
            role-arn: arn:aws:iam::123456789012:role/WEB-IDENTITY-ROLE
            role-session-name: example-session
        - run: echo "Run your code here"

  workflows:
    aws-cli:
      jobs:
        - aws-cli-example:
            context: aws

Full Changelog: v3.0.0...v3.1.0

Contributors

brivu
Assets 2