Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(SIGSECOPS-584): add openId connect #44

Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

feat(SIGSECOPS-584): add openId connect #44

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
deb912e
Create assume-role-with-web-identity.sh
rohithak18 Jan 6, 2025
0804468
Create assume-role.sh
rohithak18 Jan 6, 2025
67e3643
Create assume_role.yml
rohithak18 Jan 6, 2025
73ad48f
Create assume_role_with_web_identity.yml
rohithak18 Jan 6, 2025
b61a444
Update config.yml
rohithak18 Jan 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Create assume-role-with-web-identity.sh
  • Loading branch information
@rohithak18
rohithak18 authored Jan 6, 2025
commit deb912e3045fc0e6d521a9000aacccc43d821ef8
53 changes: 53 additions & 0 deletions src/scripts/assume-role-with-web-identity.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
#!/bin/bash

PROFILE=${PROFILE:-cdk}
DEFAULT_REGION=${DEFAULT_REGION:-eu-central-1}
DEBUG=${DEBUG:-true}
AWS_ENDPOINT=""
# disable aws pager
export AWS_PAGER=""

# When the ACCOUNT_ID is not passed as the actual ID but as a shell parameter reference,
# it will not be interpreted and resolved.
# This happens when using this orb in a circleci pipeline and orb-job parameters are
# to be set with values from env variables instead of hard-coded values in the pipl's config.yml.
# This is a circleci limitation.
#
# The variable reference to the job's parameter will end-up here.
# That's why we evaluate it here to get the actual value of the parameter.
# The current implementation limits eval to resolve DEPLOYMENT_ACCOUNT_ID, only.
TryResolveAccountIdReference() {
# if [[ ${ACCOUNT_ID} =~ ^\\$.* ]]; then # not supported for sh, only for bash or refactor to use grep
if [ "${ACCOUNT_ID}" = "\$DEPLOYMENT_ACCOUNT_ID" ]; then
ACCOUNT_ID=$(eval echo "${ACCOUNT_ID}")
fi
}

AssumeRoleWithWebIdentity() {
if [ "${TEST_MODE}" = true ]; then
echo "is test mode -> using localstack"
AWS_ENDPOINT="--endpoint-url=http://localhost:4566"
fi

TryResolveAccountIdReference

temp_role=$(aws sts assume-role-with-web-identity --role-arn "arn:aws:iam::${ACCOUNT_ID}:role/${ROLE_NAME}" --role-session-name "web-identity-role-session" --web-identity-token "${CIRCLE_OIDC_TOKEN}" ${AWS_ENDPOINT})
key_id=$(echo "${temp_role}" | jq .Credentials.AccessKeyId | xargs)
access_key=$(echo "${temp_role}" | jq .Credentials.SecretAccessKey | xargs)
session_token=$(echo "${temp_role}" | jq .Credentials.SessionToken | xargs)
aws configure set aws_access_key_id "${key_id}" --profile "${PROFILE}"
aws configure set aws_secret_access_key "${access_key}" --profile "${PROFILE}"
aws configure set aws_session_token "${session_token}" --profile "${PROFILE}"
aws configure set region "${DEFAULT_REGION}" --profile "${PROFILE}"
if [ "${DEBUG}" = true ]; then
aws sts get-caller-identity --profile "${PROFILE}" ${AWS_ENDPOINT}
fi
}

# Will not run if sourced for bats-core tests.
# View src/tests for more information.
ORB_TEST_ENV="bats-core"
# shellcheck disable=SC2295
if [ "${0#*$ORB_TEST_ENV}" = "$0" ]; then
AssumeRoleWithWebIdentity
fi