AWS AssumeRole Buildkite Plugin
A Buildkite plugin to assume an IAM Role before running the build command.
Credentials for the assumed role are placed in the environment as
AWS_SESSION_TOKEN, where they will be found by standard AWS tools and SDKs.
The assumed role session expires after one hour, which is the default and maximum duration for the AssumeRole API.
steps: - command: bin/ci-aws-thing plugins: - cultureamp/aws-assume-role#v0.1.0: role: "arn:aws:iam::123456789012:role/example-role"
Alternatively, you could specify
AWS_ASSUME_ROLE_ARN in your environment
steps: - command: bin/ci-aws-thing env: AWS_ASSUME_ROLE_ARN: arn:aws:iam::123456789012:role/example-role plugins: - cultureamp/aws-assume-role
The ARN of the IAM Role to assume. The build agent must already be authenticated (e.g. EC2 instance role) and have
sts:AssumeRole permission for the role being assumed.
The duration (in seconds) to assume the role for. Defaults to 3600 (1 hour).
AWS_DEFAULT_REGION with the value you set. If not set the values of AWS_REGION and AWS_DEFAULT_REGION will not be changed.
Tests are written using bats with bats-mock and a docker compose file is provided to simplify testing.
To run tests:
docker-compose run tests
- Creating a Role to Delegate Permissions to an IAM User
- Requesting Temporary Security Credentials
- AWS STS AssumeRole API
- Checking the Maximum Session Duration for a Role
MIT (see LICENSE)