Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS plugin #770

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

AWS plugin #770

wants to merge 3 commits into from
+2,000 −125

Conversation

rowanmanning
Copy link
Member

@rowanmanning rowanmanning commented Jan 31, 2025
edited
Loading

Description

As discussed, this plugin is used to assume an STS role and provide AWS credentials for other tasks. It stores AWS credentials in the CI state so they can be picked up later.

This is required for us to be able to assume different roles across different accounts with Hako, we'll be deploying to separate test and prod AWS accounts in future.

Later it makes sense to rework the serverless and upload-assets-to-s3 plugins to use this. I'd rather not actually do this work until we've tested this with Hako.

Note the Release-As: 0.1.0 in the commit that adds the plugin. This is so we can test further before a stable release. Right now we tested a JS version of this plugin here. It successfully outputs AWS credentials to the CircleCI job here.

See-Also: CPREL-1270

Checklist:

  • My branch has been rebased onto the latest commit on main (don't merge main into your branch)
  • My commit messages are conventional commits, for example: feat(circleci): add support for nightly workflows, fix: set Heroku app name for staging apps too

@rowanmanning
feat: allow storing AWS credentials in CI state
d1fcd0f 
This will allow us to pass AWS credentials between tasks and is required
for us to build an AwsAssumeRole task
@rowanmanning
feat: add a schema for the AWS Assume Role task
f4765b5
@rowanmanning rowanmanning requested a review from a team January 31, 2025 12:59
@rowanmanning rowanmanning requested a review from a team as a code owner January 31, 2025 12:59
@rowanmanning @alexmuller
feat: add a new AWS plugin
2b3b7cb 
This plugin is used to assume an STS role and provide AWS credentials
for other tasks. It stores AWS credentials in the CI state so they can
be picked up later.

This is required for us to be able to assume different roles across
different accounts with Hako, we'll be deploying to separate test and
prod AWS accounts in future.

Later it makes sense to rework the `serverless` and
`upload-assets-to-s3` plugins to use this. I'd rather not actually do
this work until we've tested this with Hako.

Release-As: 0.1.0
Co-Authored-By: Alex Muller <[email protected]>
rowanmanning
rowanmanning commented Jan 31, 2025
View reviewed changes
plugins/aws/src/tasks/assume-role.ts
const RoleSessionName = `toolkit-${randomUUID()}`
const WebIdentityToken = process.env.CIRCLE_OIDC_TOKEN_V2

const client = new STSClient({ region: 'eu-west-1' })
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hard-coded for now while we're in one region. We suspect this will work even for US deploys because roles are not tied to a region, but let's see

@alexmuller alexmuller mentioned this pull request Jan 31, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rowanmanning