aws-toolkit-azure-devops icon indicating copy to clipboard operation
aws-toolkit-azure-devops copied to clipboard

Published 20 hours ago verified publisher icon aws

roleArn on AWSShellScript

Open drankard opened this issue 4 years ago • 1 comments

In many cases I use AWSShellScript to execute aws cli commands, but I haven't seen a nice solution on how to run an AWSShellScript with an assumed role other than the serviceconnection role

Just like the CloudFormationCreateOrUpdateStack take a roleArn parameter and pass it to CloudFormation it would be nice if AWSShellScript could do the same, take a roleArn parameter and assume the role and execute the cli command

Right now i need to script my way out of it. (or am i missing something ?)

temp_role=$(aws sts assume-role --role-arn "arn:aws:iam::my_account:role/myrole" --role-session-name "MySession")
export AWS_ACCESS_KEY_ID=$(echo $temp_role | jq -r .Credentials.AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(echo $temp_role | jq -r .Credentials.SecretAccessKey)
export AWS_SESSION_TOKEN=$(echo $temp_role | jq -r .Credentials.SessionToken)
aws s3 ls my-bucket

drankard avatar Apr 07 '20 18:04 drankard

We have a similar requirement which aws-toolkit-azure-devops doesn't offer out of the box. I have multiple pipelines which each do different things. I have set up IAM roles for each of those pipelines and I have single IAM User and a single service connection for it which only allows it to assume role to those IAM roles. I have set it up this way, so there's only one place to rotate the IAM user credentials and each pipeline would have enough permission to do what it needs and nothing more.

However I have found it's not possible out of the box to use a service connection and provide an IAM role inside the pipeline YAML file and have AWS tasks assume role into that automatically.

Best would be that aws-toolkit-azure-devops tasks, would use the AWS.AssumeRoleArn, AWS.RoleSessionName and AWS.ExternalId variables when provided with a service connection or the individual tasks could take those as parameter similar to CloudFormationCreateOrUpdateStack as mentioned by @drankard .

I looked into the code this could be an easy change. getCredentials function in src/lib/awsConnectionParameters.ts would only get the credentials if no service connection was specified. This should be changed that the variables would potentially override the service connection.

Potentially awsCredentials task input could be an object that would accept assume role parameter along with the service connection name.

FaridNeshat-TomTom avatar Mar 24 '21 11:03 FaridNeshat-TomTom