CloudBees action: Configure AWS credentials

Configure Amazon Web Services (AWS) Identity and Access Management (IAM) credentials, credential files, and a region for use in CloudBees workflows. This action implements the AWS SDK credential resolution chain and sets configuration and credential files for other CloudBees actions to use. Configuration and credential files are detected by both the AWS SDKs and the AWS CLI for AWS API calls.

Inputs

Table 1. Input details

Input name	Data type	Required?	Description
`aws-access-key-id`	String	Yes	The AWS access key ID.
`aws-secret-access-key`	String	Yes	The AWS secret key.
`aws-region`	String	Yes	The AWS region.
`role-to-assume`	String	No	The AWS role to assume.
`role-external-id`	String	No	The AWS role external ID.
`role-duration-seconds`	String	No	The AWS role duration, in seconds.
`role-session-name`	String	No	The AWS role session name.
`role-chaining`	Boolean	No	Whether there is chaining of the AWS roles. Default value is `false`, specifying no chaining.
`inline-session-policy`	JSON	No	The AWS inline role session policy.
`managed-session-policy`	String	No	The AWS managed role session policy.

Usage examples

Two methods for fetching credentials from AWS are supported: AssumeRole and authenticate as user.

AssumeRole with static IAM credentials in secrets

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
          role-duration-seconds: 1200
          role-session-name: MySessionName

Authenticate as a user with static IAM credentials in secrets

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2

AssumeRole using previous credentials

This is effectively the same as the AssumeRole with static IAM credentials in secrets method above, but allows for more complex use cases that require switching roles.

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2

    # ...

      - name: Configure other AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-region: us-east-2
          role-to-assume: arn:aws:iam::987654321000:role/my-second-role
          role-session-name: MySessionName
          role-chaining: true

Inline session policy

You can use an IAM policy in stringified JSON format as an inline session policy. Code the JSON as either a single line, or formatted.

Single-line JSON:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           inline-session-policy: '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:List*","Resource":"*"}]}'

Formatted JSON:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           inline-session-policy: >-
            {
             "Version": "2012-10-17",
             "Statement": [
              {
               "Sid":"Stmt1",
               "Effect":"Allow",
               "Action":"s3:List*",
               "Resource":"*"
              }
             ]
            }

Managed session policies

You can use Amazon Resource Names (ARNs) of the IAM managed policies as managed session policies. The policies must exist in the same account as the role.

Pass a single managed policy as:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          managed-session-policies: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Pass multiple managed policies as:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           managed-session-policies: |
            arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
            arn:aws:iam::aws:policy/AmazonS3OutpostsReadOnlyAccess

License

This code is made available under the MIT license.

References

Learn more about using actions in CloudBees workflows.
Learn about the CloudBees platform.

Name		Name	Last commit message	Last commit date
Latest commit History 17 Commits
.cloudbees		.cloudbees
cmd		cmd
internal		internal
.gitignore		.gitignore
Dockerfile		Dockerfile
LICENSE.txt		LICENSE.txt
Makefile		Makefile
README.adoc		README.adoc
action.yml		action.yml
go.mod		go.mod
go.sum		go.sum
main.go		main.go

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

CloudBees action: Configure AWS credentials

Inputs

Usage examples

AssumeRole with static IAM credentials in secrets

Authenticate as a user with static IAM credentials in secrets

AssumeRole using previous credentials

Inline session policy

Managed session policies

License

References

About

Releases

Packages

Contributors 6

Languages

License

cloudbees-io/configure-aws-credentials

Folders and files

Latest commit

History

Repository files navigation

CloudBees action: Configure AWS credentials

Inputs

Usage examples

AssumeRole with static IAM credentials in secrets

Authenticate as a user with static IAM credentials in secrets

AssumeRole using previous credentials

Inline session policy

Managed session policies

License

References

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Contributors 6

Languages

Packages