我正在尝试将 OIDC 与 aws 上的角色和 Web 身份一起使用。我按照 https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/
中的步骤操作如文章末尾所述,当我使用 atlassian 管道时,OIDC 可以工作,但它不适用于导出和 aws cli 选项。
default:
- step:
name: Connect to AWS using OIDC
oidc: true
script:
- export AWS_REGION=$AWS_REGION
- export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- printenv BITBUCKET_STEP_OIDC_TOKEN
- printenv AWS_REGION
- printenv AWS_ROLE_ARN
- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
PrintEnv 输出:
printenv AWS_REGION
us-east-2
printenv AWS_ROLE_ARN
arn:aws:iam::1234567890:role/MyRole
printenv BITBUCKET_STEP_OIDC_TOKEN
<nothing here>
错误:
An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity
但是当我使用管道时一切正常
- pipe: atlassian/aws-s3-deploy:1.1.0
variables:
AWS_DEFAULT_REGION: $AWS_REGION # Optional if already defined in the context or OIDC used.
AWS_OIDC_ROLE_ARN: $AWS_OIDC_ROLE_ARN # Optional by default. Required for OpenID Connect (OIDC) authentication.
S3_BUCKET: mygreat-bucket
LOCAL_PATH: 'build'
CACHE_CONTROL: 'max-age=86400'
我偶然发现了同样的事情 - BitBucket 管道可以与 AWS OIDC 一起使用,但脚本却不能。如果您检查特定的管道源代码,您会发现承担该角色需要一些额外的步骤 - https://bitbucket.org/atlassian/aws-s3-deploy/src/master/pipe/pipe.sh#lines- 35
因此,要使脚本部分与 OIDC 一起使用,您需要像这样:
default:
- step:
name: Connect to AWS using OIDC
oidc: true
script:
- export AWS_REGION=$AWS_REGION
- export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws configure set web_identity_token_file ${AWS_WEB_IDENTITY_TOKEN_FILE}
- aws configure set role_arn ${AWS_ROLE_ARN}
- unset AWS_ACCESS_KEY_ID
- unset AWS_SECRET_ACCESS_KEY
- printenv BITBUCKET_STEP_OIDC_TOKEN
- printenv AWS_REGION
- printenv AWS_ROLE_ARN
我也遇到过类似的情况。我想使用 AWS OIDC IAM 角色在脚本内运行 aws cli 命令。似乎保留
oidc:true
不足以向 AWS 进行身份验证。
因此,作为使 OIDC 在脚本上工作的解决方法,我使用 sts Should-role 命令获取临时凭证,并使用
jq
linux 工具解析响应并使用它来配置 aws cli。
default:
- step
name: Configure AWS CLI
oidc: true
script:
- assume_role_response=$(aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789012:role/myRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000)
- access_key_id=$(echo "$assume_role_response" | jq -r '.Credentials.AccessKeyId')
- secret_access_key=$(echo "$assume_role_response" | jq -r '.Credentials.SecretAccessKey')
- session_token=$(echo "$assume_role_response" | jq -r '.Credentials.SessionToken')
- aws configure set aws_access_key_id "$access_key_id"
- aws configure set aws_secret_access_key "$secret_access_key"
- aws configure set aws_session_token "$session_token"
- aws s3 ls
不确定是否还有其他更简单的解决方案,但这对我有用。
如果我理解正确,导出这些环境变量就足够了,您不需要进一步的 sts Should-role-with-web-identity 命令。
尝试一下
pipelines:
default:
- step:
name: Test OIDC
oidc: true
image: public.ecr.aws/aws-cli/aws-cli
script:
- export AWS_DEFAULT_REGION=my-region-0
- export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $AWS_WEB_IDENTITY_TOKEN_FILE
- aws sts get-caller-identity