CloudBees action: Configure AWS credentials

Configure Amazon Web Services (AWS) Identity and Access Management (IAM) credentials, credential files, and a region for use in CloudBees workflows. This action implements the AWS SDK credential resolution chain and sets configuration and credential files for other CloudBees actions. Configuration and credential files are detected by both the AWS SDKs and the AWS CLI for AWS API calls.

All CloudBees action repositories are listed at CloudBees, Inc. on GitHub.

Inputs

Table 1. Input details
Input name	Data type	Required?	Description
`aws-access-key-id`	String	Yes	The AWS access key ID.
`aws-secret-access-key`	String	Yes	The AWS secret key.
`aws-region`	String	Yes	The AWS region.
`role-to-assume`	String	No	The AWS role to assume.
`role-external-id`	String	No	The AWS role external ID.
`role-duration-seconds`	String	No	The AWS role duration, in seconds.
`role-session-name`	String	No	The AWS role session name.
`role-chaining`	Boolean	No	Whether there is chaining of the AWS roles. Default value is `false`, specifying no chaining.
`inline-session-policy`	JSON	No	The AWS inline role session policy.
`managed-session-policy`	String	No	The AWS managed role session policy.

Usage examples

Two methods for fetching credentials from AWS are supported: AssumeRole and authenticate as user.

AssumeRole with static IAM credentials in secrets

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
          role-duration-seconds: 1200
          role-session-name: MySessionName▼

Authenticate as a user with static IAM credentials in secrets

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2▼

AssumeRole using previous credentials

This is effectively the same as the AssumeRole with static IAM credentials in secrets method above, but allows for more complex use cases that require switching roles.

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2

    # ...

      - name: Configure other AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-region: us-east-2
          role-to-assume: arn:aws:iam::987654321000:role/my-second-role
          role-session-name: MySessionName
          role-chaining: true▼

Inline session policy

You can use an IAM policy in stringified JSON format as an inline session policy. Code the JSON as either a single line, or formatted.

Single-line JSON:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           inline-session-policy: '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:List*","Resource":"*"}]}'▼

Formatted JSON:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           inline-session-policy: >-
            {
             "Version": "2012-10-17",
             "Statement": [
              {
               "Sid":"Stmt1",
               "Effect":"Allow",
               "Action":"s3:List*",
               "Resource":"*"
              }
             ]
            }▼

Managed session policies

You can use Amazon Resource Names (ARNs) of the IAM managed policies as managed session policies. The policies must exist in the same account as the role.

Pass a single managed policy as:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          managed-session-policies: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess▼

Pass multiple managed policies as:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           managed-session-policies: |
            arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
            arn:aws:iam::aws:policy/AmazonS3OutpostsReadOnlyAccess▼