search

CircleCI-Public / aws-cli-orb

Install and configure the AWS command-line interface (awscli)
https://circleci.com/orbs/registry/orb/circleci/aws-cli
MIT License
58 stars 51 forks source link

AWS profile is not available when using `assume_role_with_web_identity` #158

Closed jenny-miggin closed 1 year ago

jenny-miggin commented 1 year ago

When using the profile_name parameter, the profile name is not shared when using the assume_role_with_web_identity command.

Expected behaviour

When using the profile_name parameter in the assume_role_with_web_identity command, this profile name should be saved and be made available in later AWS commands

Actual behaviour

The profile name is not persisted, and the downstream AWS commands fail if a profile is specified

Steps to reproduce

Given the below sample config.yml:

orbs:
  aws-cli: circleci/aws-cli@4.1.0

jobs:
  aws-example:
    docker:
      - image: cimg/aws:2022.06
    steps:
      - checkout
      - aws-cli/assume_role_with_web_identity:
          role_arn: "arn:aws:iam::483285841698:role/my-role"
          region: $AWS_REGION
          session_duration: "900"
          profile_name: default
      - run:
          name: Log-into-AWS-ECR
          command: |
            aws ecr get-login-password --region $AWS_REGION | docker login -u AWS --password-stdin "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
      - run:
          name: list images
          command: |
            aws ecr list-images --repository-name my-image-repo --profile default

the list images job fails with the below error:

The config profile (default) could not be found

If using the setup command instead, the downstream AWS commands work successfully

brivu commented 1 year ago

Hey @jenny-miggin,

This is the expected behavior. If you wanted to run the assume_role_with_web_identity it simply just generates the keys for you. In order for you to tie it to any profile, you need to run the aws configure set commands, which is what happens in the setup command.

The purpose of the profile in the assume_role_with_web_identity command is to provide the aws sts assume-role-with-web-identity command with a profile that contains the proper keys that allow this operation to be run.

I think because we already have a valid web-identity-token with the CIRCLE_OIDC_TOKEN_V2, a specific profile is not needed to generate new keys.

-Brian