New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for AssumeRoleWithWebIdentity #2997
base: master
Are you sure you want to change the base?
Add support for AssumeRoleWithWebIdentity #2997
Conversation
FYI: I also tested this using gitlab's OIDC integration and it worked correctly, both with |
a6dae29
to
1363712
Compare
Sorry, I have no idea how this got closed. I certainly did not intend to. |
|
Thanks for the review! I have replaced calls to |
@denis256 any chance I could get a followup review? I addressed the comments you left previously. Thanks in advance! |
Hi,
|
8c7c168
to
36dd31a
Compare
Hi @denis256 thanks for picking this up again. I have resolved the merge conflicts (and updated the new flag name per the new naming convention). Please take another look. |
36dd31a
to
4d69332
Compare
Add support for STS [AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html). Includes new config option `iam_web_identity_token` which takes either a WebIdentity token (designed to be passed in with `get_env()`), or a path to a file containing a WebIdentity token.
27501fd
to
3c89638
Compare
Synced this branch against master again, resolving a small merge conflict. Hey @denis256 I would really appreciate a followup review so I don't have to keep checking syncing this to avoid merge conflicts. Please and thank you! |
aws_helper/config.go
Outdated
return nil, errors.WithStackTrace(err) | ||
} | ||
return resp.Credentials, nil | ||
} else { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think else is not required since return
is used
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review. I have removed the unnecessary else clause
It is possible to implement integration tests to track that this functionality will work over time? |
Yes, depending on your CI environment. For example, we will be using this functionality to replace shell script calls to Do you have integration tests for the current In order to do this, you need to
Then point Here are the docs for setting this up in gitlab: https://docs.gitlab.com/ee/ci/cloud_services/aws/ Here are the docs for setting this up in github: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services Here are the docs for setting this up in circleci: https://circleci.com/docs/openid-connect-tokens/ |
Quality Gate passedIssues Measures |
Hello, In CircleCI we can add later required env variable. |
To be clear, @partcyborg , we don't need these tests to be running in our CircleCI configuration for this pull request. This integration test only has to work in the context of your CI system. Run it there, show the configurations you used (masking any account identifiers, etc), and share the test output with us so that we can consider this functionality tested. They should require the minimum set of dependencies like an environment variable and an IAM role. It should also be accompanied with example CI setups in the docs that we can share with the community. Once we have these, we can independently verify the tests, then merge this PR. In a subsequent PR, we can setup the integration tests into the CI configurations for this repository. |
Thanks for the more detailed explanation @yhakbar Just to be sure I understand, you want me to
Is this correct? |
Description
Add support for STS AssumeRoleWithWebIdentity.
Includes new config option
iam_web_identity_token
which takes either a WebIdentity token (designed to be passed in withget_env()
), or a path to a file containing a WebIdentity token.Fixes #2585.
TODOs
Read the Gruntwork contribution guidelines.
Release Notes (draft)
Added attribute
iam_web_identity_token
to support AssumeRoleWithWebIdentityMigration Guide