ROunofF
commented
6 months ago Example pipeline, you add the AWSTemporaryCredentials first and the credentials are available in subsequent tasks, including non AWS tasks (see the Bash task for how to import the variable)
This could probably be added in the README?
steps:
- task: AWSTemporaryCredentials@1
displayName: 'Getting STS Credentials'
inputs:
azureSubscription: 'azuredo-poc'
regionName: 'ca-central-1'
assumeRole: arn:aws:iam:: 012345678901:role/azdo-s3-read
- task: AWSShellScript@1
displayName: 'AWS Shell script no awsCredentials'
continueOnError: true
inputs:
regionName: 'ca-central-1'
scriptType: inline
inlineScript: |
export
aws sts get-caller-identity
aws s3 ls
- script: sudo apt-get install -y awscli
displayName: Install AWS CLI # making sure we have the aws-cli for the non-aws task
- task: Bash@3
displayName: 'Using bash script task with regular export'
continueOnError: true
inputs:
targetType: 'inline'
script: |
export AWS_ACCESS_KEY_ID=$(AWS.ACCESS_KEY_ID)
export AWS_SECRET_ACCESS_KEY=$(AWS.SECRET_ACCESS_KEY)
export AWS_SESSION_TOKEN=$(AWS.SESSION_TOKEN)
aws s3 ls --region ca-central-1
- task: AWSCLI@1
displayName: 'via AWSCLI: Running aws-cli get-caller-identity '
continueOnError: true
inputs:
regionName: 'ca-central-1'
awsCommand: 'sts'
awsSubCommand: 'get-caller-identity'
rbbarad
Description
Create a new task
AWSTemporaryCredentialsthat use the OIDC token to federate and get temporary AWS Credentials from STS service.Motivation
This aligns with the security best practices of not storing static credential. Adding a task this way, allows it to be flexible and even reusable across non-aws tasks.
Related Issue(s), If Filed
521
PR #550 is taking a different approach but would need all tasks to be modified
Testing
Checklist
npm run newChangeLicense
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.