Configure Amazon Web Services Identity and Access Management (IAM) credentials, Amazon Elastic Container Registry (ECR) credentials, and Amazon Elastic Kubernetes Service (EKS) credentials for use in CloudBees workflows.
The configure-aws-credentials action implements the AWS SDK credential resolution chain and sets configuration and credential files for other CloudBees actions.
Configuration and credential files are detected by both the AWS SDKs and the AWS CLI for AWS API calls.
ECR and EKS credential actions both require AWS credentials to be configured first.
About aws-session-token
|
CloudBees recommends using this token only when OpenID Connect (OIDC) authentication is not possible. |
The aws-session-token is used when temporary session credentials are needed.
Use OpenID Connect (OIDC) authentication instead where possible, as it simplifies credential management and avoids manually updating session tokens.
The aws-session-token is best suited for complex workflows where OIDC authentication is not an option.
If using a long-term IAM user, a session token is not necessary. CloudBees recommends using a dedicated AWS IAM user with minimal permissions only when OIDC integration is not possible. For such use cases, assign an IAM policy similar to the following to allow the creation of long-term credentials:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:UpdateAccessKey", "iam:ListAccessKeys" ], "Resource": "arn:aws:iam::account-id:user/username" } ] }
Replace account-id with your AWS account ID and username with the name of the IAM user.
|
AssumeRole with static IAM credentials
The following example assumes a role using static IAM credentials stored in secrets:
- name: Configure AWS credentials uses: https://github.com/cloudbees-io/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-east-2 role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }} role-duration-seconds: 1200 role-session-name: MySessionName
Authenticate as a user with static IAM credentials
The following example authenticates directly as an IAM user using static credentials stored in secrets:
- name: Configure AWS credentials uses: https://github.com/cloudbees-io/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-east-2
AssumeRole using previous credentials
This method allows role chaining for complex workflows that require switching roles.
Use an inline session policy
You can use an IAM policy in stringified JSON format as an inline session policy. Code the JSON as either a single line or formatted.
Single-line JSON:
- name: Configure AWS credentials uses: https://github.com/cloudbees-io/configure-aws-credentials@v1 with: inline-session-policy: '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:List*","Resource":"*"}]}'
Formatted JSON:
Use managed session policies
You can use Amazon Resource Names (ARNs) of IAM managed policies as managed session policies. The policies must exist in the same account as the role.
Pass a single managed policy:
- name: Configure AWS credentials uses: https://github.com/cloudbees-io/configure-aws-credentials@v1 with: managed-session-policies: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
Pass multiple managed policies:
- name: Configure AWS credentials uses: https://github.com/cloudbees-io/configure-aws-credentials@v1 with: managed-session-policies: | arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess arn:aws:iam::aws:policy/AmazonS3OutpostsReadOnlyAccess
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The AWS access key ID. |
|
String |
Yes |
The AWS secret key. |
|
String |
No |
The AWS session token to use. Required for temporary credentials and most common authentication setups. |
|
String |
Yes |
The AWS region. |
|
String |
No |
The AWS role to assume. |
|
String |
No |
The AWS role external ID. |
|
String |
No |
The AWS role duration, in seconds. |
|
String |
No |
The AWS role session name. |
|
Boolean |
No |
Whether there is chaining of the AWS roles.
Default value is |
|
JSON |
No |
The AWS inline role session policy. |
|
String |
No |
The AWS managed role session policy. |
Configure Amazon ECR credentials
The configure-ecr-credentials action logs in to one or more ECR private registries or to an ECR public registry.
|
Before using this action, add the following steps to your workflow:
Refer to the AssumeRole with static IAM credentials or Authenticate as a user with static IAM credentials sections above for details. |
Log in to ECR and push a container image
The following example logs in to an ECR private registry, then builds, tags, and pushes a container image to it:
- name: Log in to ECR id: login-ecr uses: https://github.com/cloudbees-io/configure-ecr-credentials@v1 - name: Build, tag, and push a container image to ECR uses: https://github.com/cloudbees-io/kaniko@v1 with: destination: 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-ecr-repo:latest
Log in to ECR and push a Helm chart
The following example logs in to an ECR private registry, then packages and pushes a Helm chart to it:
| Helm and Kaniko use the same credential store, so you can use the same credentials for both. |
Log in to ECR on multiple AWS accounts
The following example configures AWS credentials and then provides cross-account access:
- name: Configure AWS credentials uses: https://github.com/cloudbees-io/configure-aws-credentials@v1 with: role-to-assume: arn:aws:iam::123456789012:role/my-cloudbees-actions-role aws-region: eu-west-2 - name: Log in to ECR id: login-ecr uses: https://github.com/cloudbees-io/configure-ecr-credentials@v1 with: registries: "123456789012,998877665544"
|
The repository on account Refer to AWS documentation on allowing secondary account access for how to correctly configure ECR policies. |
Log in to ECR in multiple regions
By default, only the current AWS region is configured. To configure multiple regions, provide a comma-separated list of regions:
- name: Configure AWS credentials uses: https://github.com/cloudbees-io/configure-aws-credentials@v1 with: role-to-assume: arn:aws:iam::123456789012:role/my-cloudbees-actions-role aws-region: us-east-1 - name: Log in to ECR id: login-ecr uses: https://github.com/cloudbees-io/configure-ecr-credentials@v1 with: regions: eu-west-2,ap-south-2,ap-southeast-2
Configure Amazon EKS credentials
The configure-eks-credentials action updates ~/.kube/config with credentials for connecting to an Amazon Elastic Kubernetes Service cluster.
|
Before using this action, add the following steps to your workflow:
Refer to the AssumeRole with static IAM credentials or Authenticate as a user with static IAM credentials sections above for details. |
Authenticate with the current credentials role
The following example authenticates to Amazon Elastic Kubernetes Service with the current credentials role:
- name: Login to Amazon EKS uses: https://github.com/cloudbees-io/configure-eks-credentials@v1 with: name: my-eks-cluster-name - name: Do some things with the cluster uses: docker://alpine/k8s:latest run: | kubectl apply -k ...
Assume a different role
To get correct credentials for Amazon Elastic Kubernetes Service, you may need to assume a role different from your current role.
| The current Amazon Web Services credentials must be able to assume the role. |
- name: Log in to Amazon EKS uses: https://github.com/cloudbees-io/configure-eks-credentials@v1 with: name: my-eks-cluster-name role-to-assume: my-eks-admin-role - name: Do some things with the cluster uses: docker://alpine/k8s:latest run: | helm install ...
To assume a different role, use the role-session-name and role-external-id inputs from the AWS credentials inputs.
|
Connect to multiple clusters
Merge credentials into ~/.kube/config by chaining multiple configure-eks-credentials steps.
This lets you authenticate to multiple EKS clusters or switch between different authentications for the same cluster.
| The workflow always sets the current context, so the last one takes precedence. |
Connect to a cluster in a different region
To authenticate to AWS, you must specify the region to connect to.
By default, the cluster must be in the same region as the configured AWS region.
If you specify the region input on the EKS action, you can connect to a cluster in a different region without updating the AWS-configured region.
| Combine this with the Connect to multiple clusters approach to apply operations across multiple regions. |
- name: Configure AWS credentials uses: https://github.com/cloudbees-io/configure-aws-credentials@v1 with: role-to-assume: arn:aws:iam::123456789012:role/my-cloudbees-actions-role aws-region: eu-west-2 - name: Log in to Amazon EKS cluster in a different region uses: https://github.com/cloudbees-io/configure-eks-credentials@v1 with: name: my-eks-cluster-name region: us-east-2