Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
aws-configure-with-oidc: l060ki/aws-configure-with-oidc@0.2.0
Use aws-configure-with-oidc
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Configure AWS Credentials using OIDC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
version: '2.1'
orbs:
aws-cli: circleci/aws-cli@2.1.0
aws-configure-with-oidc: l060ki/aws-configure-with-oidc@0.1.2
jobs:
build:
docker:
- image: cimg/python:3.10
environment:
AWS_REGION: ap-northeast-1
steps:
- aws-configure-with-oidc/assume-role:
role-arn: AWS_IAM_ROLE_ARN
- run:
command: |
aws sts get-caller-identity
name: null
workflows:
build-and-test:
jobs:
- build:
context:
- aws-oidc-deploy
Authenticate with AWS using OIDC and assume a role.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
duration-second | The duration, in seconds, of the role session | No | 900 | integer |
role-arn | The Amazon Resource Name (ARN) of the role that the caller is assuming | No | AWS_IAM_ROLE_ARN | env_var_name |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
version: 2.1
description: |
Authenticate with AWS using OIDC and assume a role.
display:
source_url: https://github.com/1060ki/aws-configure-with-oidc
orbs:
aws-cli: circleci/aws-cli@2.1.0
commands:
assume-role:
description: |
Authenticate with AWS using OIDC and assume a role.
parameters:
duration-second:
default: 900
description: The duration, in seconds, of the role session
type: integer
role-arn:
default: AWS_IAM_ROLE_ARN
description: The Amazon Resource Name (ARN) of the role that the caller is assuming
type: env_var_name
steps:
- aws-cli/install
- run:
command: |
PARAM_ROLE_ARN=$(eval echo "\$$PARAM_ROLE_ARN")
# SEE: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role-with-web-identity.html
credentials=$(aws sts assume-role-with-web-identity \
--role-arn "${PARAM_ROLE_ARN}" \
--web-identity-token "${CIRCLE_OIDC_TOKEN_V2}" \
--role-session-name "CircleCI" \
--duration-seconds "${PARAM_DURATION_SECOND}" \
--query "Credentials" \
--output "json")
{
echo "export AWS_ACCESS_KEY_ID=\"$(echo "$credentials" | jq -r '.AccessKeyId')\""
echo "export AWS_SECRET_ACCESS_KEY=\"$(echo "$credentials" | jq -r '.SecretAccessKey')\""
echo "export AWS_SESSION_TOKEN=\"$(echo "$credentials" | jq -r '.SessionToken')\""
} >> "${BASH_ENV}"
environment:
PARAM_DURATION_SECOND: <<parameters.duration-second>>
PARAM_ROLE_ARN: <<parameters.role-arn>>
name: Configure aws credential
executors:
default:
docker:
- image: cimg/python:<<parameters.python-version>>
parameters:
python-version:
default: "3.10"
type: string
examples:
assume-role:
description: Configure AWS Credentials using OIDC
usage:
version: "2.1"
orbs:
aws-cli: circleci/aws-cli@2.1.0
aws-configure-with-oidc: l060ki/aws-configure-with-oidc@0.1.2
jobs:
build:
docker:
- image: cimg/python:3.10
environment:
AWS_REGION: ap-northeast-1
steps:
- aws-configure-with-oidc/assume-role:
role-arn: AWS_IAM_ROLE_ARN
- run:
command: |
aws sts get-caller-identity
name: null
workflows:
build-and-test:
jobs:
- build:
context:
- aws-oidc-deploy