Comments (4)
Hey @blimmer,
Thanks for opening this issue. I've been going back and forth how to handle the assume_role_with_web_identity
command so I'm glad we have an opportunity to learn more.
As of today, the assume_role_with_web_identity
command only generates new temporary keys and gets exported to $BASH_ENV
. It does not tie the keys to a specific profile, which has been causing some confusion.
However In the setup
command, if there is a role_arn
, the assume_role_with_web_identity
command is run. Once the keys are generated, they are passed through the configure.sh
script, which ties the keys to a specific profile by running the cli's aws configure set
commands. That's the only reason why the keys and session token are stored as environment variables.
The intent with the assume_role_with_web_identity
was always to tie the generated keys to a profile so I've been considering removing the command and just consolidating it into the setup
command (similarl to the the configure
script)
With your suggestion, if we use configure_aws_environment_variables: false
, the assume_role_with_web_identity
command will essentially do nothing other than generating keys. They won't be tied to any profile nor be exported as environment variables.
In your use case above, are you able to run the aws-cli/setup
command twice (once for each profile)? That way, you can have a profile for your build process and one for your deploy process. When you run your build and deploy processes, you can tie the appropriate profile to each command.
Let me know if I am missing anything!
Brian
from aws-cli-orb.
Hi @brivu, thanks for the quick and detailed response!
In my use case, yep, I was calling aws-cli/setup
twice. This appropriately configured the profiles, but it still left the AWS_*
environment variables in the $BASH_ENV
. I think I could have explicitly overridden the downstream consumer (a legacy Javascript tool that uses aws-sdk@2) to specify a profile and ignore the environment variables but, by default, it was using the environment variables, not the default
profile.
I worked around the problem like this:
- run: touch $BASH_ENV && cp $BASH_ENV "$BASH_ENV.bak"
- aws-cli/setup:
profile_name: codeartifact
role_arn: << parameters.readonly_iam_role >>
configure_default_region: false
configure_profile_region: true
region: us-west-2
- run: mv "$BASH_ENV.bak" "$BASH_ENV"
- run: codeartifact get-authorization-token --profile codeartifact
However, it would be nice if I could somehow specify to the orb, "just create the profile, don't mess with my environment".
from aws-cli-orb.
Hey @blimmer,
Thanks for the clarification, it makes a lot of sense now. You're workaround is pretty slick!
In terms of a solution for the orb, the config.sh
script uses the values stored in environment variables to create profiles located in the ~/.aws/credentials
file by running the commands below:
aws configure set aws_access_key_id \
"$AWS_CLI_STR_ACCESS_KEY_ID" \
--profile "$AWS_CLI_STR_PROFILE_NAME"
aws configure set aws_secret_access_key \
"$AWS_CLI_STR_SECRET_ACCESS_KEY" \
--profile "$AWS_CLI_STR_PROFILE_NAME"
if [ -n "${AWS_SESSION_TOKEN}" ]; then
aws configure set aws_session_token \
"${AWS_SESSION_TOKEN}" \
--profile "$AWS_CLI_STR_PROFILE_NAME"
fi
I am thinking that we could possibly append this script with unset
so that you won't run into this issue.
unset AWS_SESSION_TOKEN
unset AWS_ACCESS_KEY
unset AWS_ACCESS_KEY_ID
That way, once the profiles are configured, the environment variables will be unset. Let me know if that'll work. In the meantime, I'll huddle up with my team and see what we can do.
Thanks!
Brian
from aws-cli-orb.
I don't think an unset
will remove those env variables from $BASH_ENV
, only the active shell. So the next step that runs will re-source $BASH_ENV
and you'll have the same problem.
Two ideas:
- Could the configure script accept the variables as input (e.g.,
configure.sh --key-id="hardcoded" --secret-key="hardcoded" --security-token="hardcoded"
)? - Could you write off the keys to a separate file (e.g.,
mktemp -t aws-profile-codeartifact-XXXXXX
)?
from aws-cli-orb.
Related Issues (20)
- AWS profile is not available when using `assume_role_with_web_identity` HOT 1
- aws-cli orb 4.x broken on Server 4.x HOT 2
- CIRCLE_OIDC_TOKEN_V2 and CIRCLE_OIDC_TOKEN are not present on Server 4.x HOT 1
- `install` on older windows images fails when `override_installed: true` HOT 6
- 'role_arn' IS a required argument when calling 'aws-cli/setup' HOT 2
- circleci/[email protected] fails on aws-cli/setup - Error relocating /usr/bin/curl (alpine)
- Generate shortlived AWS Keys using CircleCI OIDC token fails
- Grep statement in install.sh (Windows) can cause wrong path to be added HOT 1
- 'disable_aws_pager' argument ignored if AWS CLI is already installed
- Enhance Installation Flow for Existing CLI Versions
- multiple calls to setup don't use newest role
- Broken AWS Credentials after #164 (4.1.2) HOT 8
- The documentation on aws sts assume-role is incorrect / not working in real world scenarios HOT 2
- Incorrect Version Check in Installation Script (install.sh) when using 'latest'
- Extra hyphen at the end of role_session_name
- upgrade glibc from 2.34-r0 to 2.35-r1 to resolve nsswitch cannot be overwrriten issue
- /tmp/default.keys: No such file or directory HOT 3
- OICD AWS Provider - Old AWS orb version not consistent with > 4.0 version causing issues with AWS Credentials configuration
- `setup` command fails with OIDC role while `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are set in the environment HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-cli-orb.