Hello everyone!
I’m happy to announce that version 3.1 of the AWS CLI Orb has been released as of April 21st, 2022. This latest version takes advantage of CircleCI’s OIDC Token that’s available by default in every context provided in each job. It enables users to generate a short-lived AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN that’s only valid for 60 minutes by default. These short-lived keys are used in the aws-cli/setup command to configure a profile that can be used to access other AWS services defined by the IAM policies that are tied to the specified role-arn. This makes running CircleCI pipelines with AWS more secure since it eliminates the need for users to store static AWS keys as environment variables.
Here’s how it works:
- You’ll need to create an OpenID Connect Identity provider in
IAMand generate arole-arnusing Web Identity. You can find step by step directions here. - Use the
role-arnyou’ve created in the previous step as a parameter in theaws-cli/setupcommand. You will also need to define aprofile-name. After theaws-cli/setupcommand is run, you can use the profile you’ve defined to run otherAWS CLIcommands. The example below creates a profile with web identity calledWEB-IDENTITY-PROFILEand uses it to log intoAWS ECR
version: 2.1
orbs:
aws-cli: circleci/aws-cli@3.1
jobs:
aws-cli-example:
executor: cimg/base:current
steps:
- checkout
- aws-cli/setup:
profile-name: WEB-IDENTITY-PROFILE
role-arn: arn:aws:iam::123456789012:role/WEB-IDENTITY-ROLE
role-session-name: example-session
- run:
name: Log into ECR
command: aws ecr get-login-password --region us-west-2 --profile WEB-IDENTITY-PROFILE
workflows:
aws-cli:
jobs:
- aws-cli-example:
context: AWS-CONTEXT
You can find more details in the Orb Registry