diff --git a/.circleci/test-deploy.yml b/.circleci/test-deploy.yml index 3639b3c..c157e5c 100644 --- a/.circleci/test-deploy.yml +++ b/.circleci/test-deploy.yml @@ -56,6 +56,9 @@ jobs: region: type: string default: ${AWS_DEFAULT_REGION} + set_aws_env_vars: + type: boolean + default: true executor: <> steps: - aws-cli/setup: @@ -70,6 +73,7 @@ jobs: configure_default_region: <> configure_profile_region: <> region: <> + set_aws_env_vars: <> - run: name: Test that paging is disabled command: |- @@ -170,7 +174,14 @@ workflows: context: [CPE-OIDC] executor: docker-base role_session_name: "test-Sess!on Wi7h inv^l!d-characters that's longer than 64 chars" + set_aws_env_vars: false post-steps: + - run: + name: Check for temporary file containing keys + command: | + if [ ! -f "/tmp/default.keys" ]; then + exit 1 + fi - run: name: Check Values of Expanded Variables command: | diff --git a/src/commands/assume_role_with_web_identity.yml b/src/commands/assume_role_with_web_identity.yml index 24e9c7a..f731380 100644 --- a/src/commands/assume_role_with_web_identity.yml +++ b/src/commands/assume_role_with_web_identity.yml @@ -33,13 +33,22 @@ parameters: type: string default: ${AWS_DEFAULT_REGION} + set_aws_env_vars: + description: | + Write AWS keys generated from OIDC to a temporary file. + Set to false if generating keys for multiple profiles. + By default, the keys are written to $BASH_ENV. + type: boolean + default: true + steps: - run: - name: Generate shortlived AWS Keys using CircleCI OIDC token. + name: Generate short lived AWS Keys using CircleCI OIDC token. environment: AWS_CLI_STR_ROLE_ARN: <> AWS_CLI_STR_ROLE_SESSION_NAME: <> AWS_CLI_INT_SESSION_DURATION: <> AWS_CLI_STR_PROFILE_NAME: <> AWS_CLI_STR_REGION: <> + AWS_CLI_BOOL_SET_AWS_ENV_VARS: <> command: <> diff --git a/src/commands/setup.yml b/src/commands/setup.yml index afc7a37..1bc1213 100644 --- a/src/commands/setup.yml +++ b/src/commands/setup.yml @@ -92,6 +92,14 @@ parameters: type: string default: "3600" + set_aws_env_vars: + description: | + Write AWS keys generated from OIDC to a temporary file. + Set to false if generating keys for multiple profiles. + By default, the keys are written to $BASH_ENV. + type: boolean + default: true + steps: - install: version: <> @@ -111,6 +119,7 @@ steps: session_duration: <> profile_name: <> region: <> + set_aws_env_vars: <> - run: name: Configure AWS Access Key ID environment: @@ -120,4 +129,5 @@ steps: AWS_CLI_BOOL_CONFIG_DEFAULT_REGION: <> AWS_CLI_BOOL_CONFIG_PROFILE_REGION: <> AWS_CLI_STR_REGION: <> + AWS_CLI_BOOL_SET_AWS_ENV_VARS: <> command: <> diff --git a/src/scripts/assume_role_with_web_identity.sh b/src/scripts/assume_role_with_web_identity.sh index 2f0e4b1..dadc391 100644 --- a/src/scripts/assume_role_with_web_identity.sh +++ b/src/scripts/assume_role_with_web_identity.sh @@ -4,12 +4,11 @@ AWS_CLI_STR_ROLE_ARN="$(echo "${AWS_CLI_STR_ROLE_ARN}" | circleci env subst)" AWS_CLI_STR_PROFILE_NAME="$(echo "${AWS_CLI_STR_PROFILE_NAME}" | circleci env subst)" AWS_CLI_STR_REGION="$(echo "${AWS_CLI_STR_REGION}" | circleci env subst)" AWS_CLI_INT_SESSION_DURATION="$(echo "${AWS_CLI_INT_SESSION_DURATION}" | circleci env subst)" +AWS_CLI_BOOL_SET_AWS_ENV_VARS="$(echo "${AWS_CLI_BOOL_SET_AWS_ENV_VARS}" | circleci env subst)" -# Sanitise role session name -# Remove invalid characters AWS_CLI_STR_ROLE_SESSION_NAME=$(echo "${AWS_CLI_STR_ROLE_SESSION_NAME}" | tr -sC 'A-Za-z0-9=,.@_\-' '-') -# Trim to 64 characters AWS_CLI_STR_ROLE_SESSION_NAME=$(echo "${AWS_CLI_STR_ROLE_SESSION_NAME}" | cut -c -64) + if [ -z "${AWS_CLI_STR_ROLE_SESSION_NAME}" ]; then echo "Role session name is required" exit 1 @@ -40,17 +39,25 @@ $(aws sts assume-role-with-web-identity \ --output text) EOF -temp_file="/tmp/${AWS_CLI_STR_PROFILE_NAME}.keys" -touch "$temp_file" - if [ -z "${AWS_ACCESS_KEY_ID}" ] || [ -z "${AWS_SECRET_ACCESS_KEY}" ] || [ -z "${AWS_SESSION_TOKEN}" ]; then echo "Failed to assume role"; exit 1 +elif [ "${AWS_CLI_BOOL_SET_AWS_ENV_VARS}" = 1 ]; then + { + echo "export AWS_CLI_STR_ACCESS_KEY_ID=\"${AWS_ACCESS_KEY_ID}\"" + echo "export AWS_CLI_STR_SECRET_ACCESS_KEY=\"${AWS_SECRET_ACCESS_KEY}\"" + echo "export AWS_CLI_STR_SESSION_TOKEN=\"${AWS_SESSION_TOKEN}\"" + } >> "$BASH_ENV" + + echo "AWS keys successfully written to BASH_ENV" else + temp_file="/tmp/${AWS_CLI_STR_PROFILE_NAME}.keys" + touch "$temp_file" { echo "export AWS_CLI_STR_ACCESS_KEY_ID=\"${AWS_ACCESS_KEY_ID}\"" echo "export AWS_CLI_STR_SECRET_ACCESS_KEY=\"${AWS_SECRET_ACCESS_KEY}\"" echo "export AWS_CLI_STR_SESSION_TOKEN=\"${AWS_SESSION_TOKEN}\"" } >> "$temp_file" - echo "Assume role with web identity succeeded" -fi + + echo "AWS keys successfully written to ${AWS_CLI_STR_PROFILE_NAME}.keys" +fi \ No newline at end of file diff --git a/src/scripts/configure.sh b/src/scripts/configure.sh index 9dd5cdd..8f0ae32 100644 --- a/src/scripts/configure.sh +++ b/src/scripts/configure.sh @@ -5,10 +5,14 @@ AWS_CLI_STR_SECRET_ACCESS_KEY="$(echo "\$$AWS_CLI_STR_SECRET_ACCESS_KEY" | circl AWS_CLI_STR_SESSION_TOKEN="$(echo "$AWS_CLI_STR_SESSION_TOKEN" | circleci env subst)" AWS_CLI_STR_REGION="$(echo "$AWS_CLI_STR_REGION" | circleci env subst)" AWS_CLI_STR_PROFILE_NAME="$(echo "$AWS_CLI_STR_PROFILE_NAME" | circleci env subst)" +AWS_CLI_BOOL_SET_AWS_ENV_VARS="$(echo "$AWS_CLI_BOOL_SET_AWS_ENV_VARS" | circleci env subst)" -if [ -z "$AWS_CLI_STR_ACCESS_KEY_ID" ] && [ -z "${AWS_CLI_STR_SECRET_ACCESS_KEY}" ]; then +if [ -z "$AWS_CLI_STR_ACCESS_KEY_ID" ] && [ -z "${AWS_CLI_STR_SECRET_ACCESS_KEY}" ] && [ "$AWS_CLI_BOOL_SET_AWS_ENV_VARS" = 0 ]; then temp_file="/tmp/${AWS_CLI_STR_PROFILE_NAME}.keys" . "$temp_file" +else + touch "${BASH_ENV}" + . "${BASH_ENV}" fi aws configure set aws_access_key_id \ @@ -33,4 +37,3 @@ if [ "$AWS_CLI_BOOL_CONFIG_PROFILE_REGION" -eq "1" ]; then aws configure set region "$AWS_CLI_STR_REGION" \ --profile "$AWS_CLI_STR_PROFILE_NAME" fi -