OpenID Connect Support added to AWS CLI Orb - v3.1

Hello everyone!

I’m happy to announce that version 3.1 of the AWS CLI Orb has been released as of April 21st, 2022. This latest version takes advantage of CircleCI’s OIDC Token that’s available by default in every context provided in each job. It enables users to generate a short-lived AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN that’s only valid for 60 minutes by default. These short-lived keys are used in the aws-cli/setup command to configure a profile that can be used to access other AWS services defined by the IAM policies that are tied to the specified role-arn. This makes running CircleCI pipelines with AWS more secure since it eliminates the need for users to store static AWS keys as environment variables.

Here’s how it works:

  1. You’ll need to create an OpenID Connect Identity provider in IAM and generate a role-arn using Web Identity. You can find step by step directions here.
  2. Use the role-arn you’ve created in the previous step as a parameter in the aws-cli/setup command. You will also need to define a profile-name. After the aws-cli/setup command is run, you can use the profile you’ve defined to run other AWS CLI commands. The example below creates a profile with web identity called WEB-IDENTITY-PROFILE and uses it to log into AWS ECR
 version: 2.1

  orbs:
    aws-cli: circleci/aws-cli@3.1

  jobs:
    aws-cli-example:
      executor: cimg/base:current
      steps:
        - checkout
        - aws-cli/setup:
            profile-name: WEB-IDENTITY-PROFILE
            role-arn: arn:aws:iam::123456789012:role/WEB-IDENTITY-ROLE
            role-session-name: example-session
        - run: 
            name: Log into ECR
            command: aws ecr get-login-password --region us-west-2 --profile WEB-IDENTITY-PROFILE

  workflows:
    aws-cli:
      jobs:
        - aws-cli-example:
            context: AWS-CONTEXT

You can find more details in the Orb Registry

2 Likes