Buildkite plugin to assume IAM role before running command
Clone or download
pda Merge pull request #5 from scottybrisbane/master
Add support for specifying the role assumption duration
Latest commit a2a96ae Sep 25, 2018

README.md

AWS AssumeRole Buildkite Plugin

A Buildkite plugin to assume an IAM Role before running the build command.

Credentials for the assumed role are placed in the environment as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, where they will be found by standard AWS tools and SDKs.

The assumed role session expires after one hour, which is the default and maximum duration for the AssumeRole API.

Example

steps:
  - command: bin/ci-aws-thing
    plugins:
      cultureamp/aws-assume-role#v0.1.0:
        role: "arn:aws:iam::123456789012:role/example-role"

Alternatively, you could specify AWS_ASSUME_ROLE_ARN in your environment

steps:
  - command: bin/ci-aws-thing
    env:
      AWS_ASSUME_ROLE_ARN: arn:aws:iam::123456789012:role/example-role
    plugins:
      cultureamp/aws-assume-role

Options

role

The ARN of the IAM Role to assume. The build agent must already be authenticated (e.g. EC2 instance role) and have sts:AssumeRole permission for the role being assumed.

duration (optional)

The duration (in seconds) to assume the role for. Defaults to 3600 (1 hour).

References

License

MIT (see LICENSE)