Home About me Cookie Zero Now archive

Assuming an AWS Role in CI/CD

 1ROLE_UUID=$(uuidgen)
 2TMPFILE=$(mktemp) || exit 1
 3export aws_region=${AWS_REGION}
 4
 5aws sts assume-role --role-arn arn:aws:iam::0123456789:role/publisher-role --role-session-name role_$ROLE_UUID > $TMPFILE
 6
 7if [ ! -s $TMPFILE ]; then
 8    echo "!!! AWS Credentials file empty !!!"
 9    exit 1
10fi
11
12export AWS_ACCESS_KEY_ID=$(cat $TMPFILE | jq -r ."Credentials"."AccessKeyId")
13export AWS_SECRET_ACCESS_KEY=$(cat $TMPFILE | jq -r ."Credentials"."SecretAccessKey")
14export AWS_SESSION_TOKEN=$(cat $TMPFILE | jq -r ."Credentials"."SessionToken")
15export AWS_DEFAULT_REGION=$aws_region

Assume role doesn’t export the new AWS credentials, so we need to export the new variable values ourselves

Published on February 9, 2024

Tags: knowledge

Reply by email