CloudBees action: Configure AWS credentials

2 minute read

Configure Amazon Web Services (AWS) Identity and Access Management (IAM) credentials, credential files, and a region for use in CloudBees workflows. This action implements the AWS SDK credential resolution chain and sets configuration and credential files for other CloudBees actions. Configuration and credential files are detected by both the AWS SDKs and the AWS CLI for AWS API calls.

All CloudBees action repositories are listed at CloudBees, Inc. on GitHub.

Inputs

Table 1. Input details
Input name Data type Required? Description

aws-access-key-id

String

Yes

The AWS access key ID.

aws-secret-access-key

String

Yes

The AWS secret key.

aws-region

String

Yes

The AWS region.

role-to-assume

String

No

The AWS role to assume.

role-external-id

String

No

The AWS role external ID.

role-duration-seconds

String

No

The AWS role duration, in seconds.

role-session-name

String

No

The AWS role session name.

role-chaining

Boolean

No

Whether there is chaining of the AWS roles. Default value is false, specifying no chaining.

inline-session-policy

JSON

No

The AWS inline role session policy.

managed-session-policy

String

No

The AWS managed role session policy.

Usage examples

Two methods for fetching credentials from AWS are supported: AssumeRole and authenticate as user.

AssumeRole with static IAM credentials in secrets

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
          role-duration-seconds: 1200
          role-session-name: MySessionName

Authenticate as a user with static IAM credentials in secrets

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2

AssumeRole using previous credentials

This is effectively the same as the AssumeRole with static IAM credentials in secrets method above, but allows for more complex use cases that require switching roles.

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2

    # ...

      - name: Configure other AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-region: us-east-2
          role-to-assume: arn:aws:iam::987654321000:role/my-second-role
          role-session-name: MySessionName
          role-chaining: true

Inline session policy

You can use an IAM policy in stringified JSON format as an inline session policy. Code the JSON as either a single line, or formatted.

Single-line JSON:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           inline-session-policy: '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:List*","Resource":"*"}]}'

Formatted JSON:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           inline-session-policy: >-
            {
             "Version": "2012-10-17",
             "Statement": [
              {
               "Sid":"Stmt1",
               "Effect":"Allow",
               "Action":"s3:List*",
               "Resource":"*"
              }
             ]
            }

Managed session policies

You can use Amazon Resource Names (ARNs) of the IAM managed policies as managed session policies. The policies must exist in the same account as the role.

Pass a single managed policy as:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          managed-session-policies: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Pass multiple managed policies as:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           managed-session-policies: |
            arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
            arn:aws:iam::aws:policy/AmazonS3OutpostsReadOnlyAccess