Introduction
Architecture
Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryRegister a build artifactRegister a deployed environment artifactStore an object on Amazon S3Retrieve an object from Amazon S3
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Argo WorkflowsCopy a remote image with CraneDeploy a binary with EC2Deploy to ECSRender an ECS task definitionBuild a container image with KanikoDeploy with OctopusDeploy with SpinnakerRun Ansible PlaybookDeploy with HerokuDeploy with AWS CodeDeployDeploy with AWS Elastic BeanstalkDeploy with Tosca
Publish evidence items
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxFind Security BugsGitHub Security ScannerGosecMendNexus IQSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
CI insights for Jenkins

CloudBees action: Configure AWS credentials

3 minute read

Configure Amazon Web Services (AWS) Identity and Access Management (IAM) credentials, credential files, and a region for use in CloudBees workflows. This action implements the AWS SDK credential resolution chain and sets configuration and credential files for other CloudBees actions. Configuration and credential files are detected by both the AWS SDKs and the AWS CLI for AWS API calls.

All CloudBees action repositories are listed at CloudBees, Inc. on GitHub.

Additional information about aws-session-token

CloudBees recommends using this token only when OpenID Connect (OIDC) authentication is not possible.

The aws-session-token is used when temporary session credentials are needed. However, users are encouraged to use OpenID Connect (OIDC) authentication instead, as it simplifies credential management and avoids the need to update session tokens manually. The aws-session-token is best suited for complex workflows where OIDC authentication may not be an option, though OIDC is typically the preferred approach.

If using a long-term IAM user, a session token is not necessary. However, CloudBees recommends using a dedicated AWS IAM user with minimal permissions only when OIDC integration is not possible. For such use cases, an IAM policy similar to the following must be assigned to allow the creation of long-term credentials:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateAccessKey",
        "iam:DeleteAccessKey",
        "iam:UpdateAccessKey",
        "iam:ListAccessKeys"
      ],
      "Resource": "arn:aws:iam::account-id:user/username"
    }
  ]
}
Replace account-id with your AWS account ID and username with the name of the IAM user.

Inputs

Table 1. Input details
Input name Data type Required? Description

aws-access-key-id

String

Yes

The AWS access key ID.

aws-secret-access-key

String

Yes

The AWS secret key.

aws-session-token

String

No

The AWS session token to use. Required for temporary credentials and most common authentication setups.

aws-region

String

Yes

The AWS region.

role-to-assume

String

No

The AWS role to assume.

role-external-id

String

No

The AWS role external ID.

role-duration-seconds

String

No

The AWS role duration, in seconds.

role-session-name

String

No

The AWS role session name.

role-chaining

Boolean

No

Whether there is chaining of the AWS roles. Default value is false, specifying no chaining.

inline-session-policy

JSON

No

The AWS inline role session policy.

managed-session-policy

String

No

The AWS managed role session policy.

Usage examples

Two methods for fetching credentials from AWS are supported: AssumeRole and authenticate as user.

AssumeRole with static IAM credentials in secrets

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
          role-duration-seconds: 1200
          role-session-name: MySessionName

Authenticate as a user with static IAM credentials in secrets

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2

AssumeRole using previous credentials

This is effectively the same as the AssumeRole with static IAM credentials in secrets method above, but allows for more complex use cases that require switching roles.

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2

    # ...

      - name: Configure other AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-region: us-east-2
          role-to-assume: arn:aws:iam::987654321000:role/my-second-role
          role-session-name: MySessionName
          role-chaining: true

Inline session policy

You can use an IAM policy in stringified JSON format as an inline session policy. Code the JSON as either a single line, or formatted.

Single-line JSON:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           inline-session-policy: '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:List*","Resource":"*"}]}'

Formatted JSON:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           inline-session-policy: >-
            {
             "Version": "2012-10-17",
             "Statement": [
              {
               "Sid":"Stmt1",
               "Effect":"Allow",
               "Action":"s3:List*",
               "Resource":"*"
              }
             ]
            }

Managed session policies

You can use Amazon Resource Names (ARNs) of the IAM managed policies as managed session policies. The policies must exist in the same account as the role.

Pass a single managed policy as:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          managed-session-policies: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Pass multiple managed policies as:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           managed-session-policies: |
            arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
            arn:aws:iam::aws:policy/AmazonS3OutpostsReadOnlyAccess
Introduction
ECR credentials