AWS Credentials Sources
This results in two option for providing AWS Security Credentials:
You currently have three options to provide AWS Security Credentials:
Identity Federation for AWS
| Tip | ||
|---|---|---|
| ||
This is the recommended approach to share and manage AWS credentials:
|
Please refer to the Identity Federation for AWS Administrator's Guide for details on how to configure the connectors.
this option requires at least one AWS Connector to be configured with System Scope to allow usage from Bamboo builds, where no user session is available- a connector yields a set of temporary credentials on task execution (optionally limiting the IAM permissions)
- you can configure multiple connectors to provide credentials with different IAM permissions tailored for specific use cases
you can also facilitate Bamboo variables to ease managing connectors as outlined in How to parametrize the AWS connector via a Bamboo variable
IAM Role for EC2 (Agent)
As of release 2.5, you can use IAM Roles for Amazon EC2 to optionally skip credentials configuration all together: if an agent happens to run on an EC2 instance started with an instance profile (IAM role), the tasks can be configured to facilitate those credentials. Of course, the underlying IAM role needs to have a sufficient policy attached to grant the the required permissions for the task at hand.
This feature requires the Amazon EC2 instance running the agent to be started with an EC2 instance profile. There are three different scenarios:
- local agents - requires the hosting Bamboo server itself to run on EC2
- remote/elastic agents - requires the remote agent to run on EC2
- elastic agents - requires the elastic agent to run on EC2
Elastic Bamboo only supports configuring elastic images with an instance profile as of Bamboo 5.6.
Inline
| Note | ||
|---|---|---|
| ||
This is not recommended, but easy to get started with:
|
- Please note that this naming is misleading for the time being - as properly phrased in the method details, these just provide means to obfuscate sensitive data. Real encryption is available by using the integration with Identity Federation for AWS (Bamboo) instead.
|
If you prefer this solution, you might still want to ease credentials reuse a bit via variable substitution as follows:
- configure Access Key and Secret Key as e.g.
${bamboo.awsAccessKeyPassword}and${bamboo.awsSecretKeyPassword} - define plan and/or global variables for the configured variable names (i.e.
awsAccessKeyPasswordandawsSecretKeyPasswordgiven this example) with the actual credentials, which will then be substituted on task execution accordingly
Identity Federation for AWS
| Tip | ||
|---|---|---|
| ||
This is the recommended approach to share and manage AWS credentials: It provides all sorts of benefits like easy credentials sharing and reuse, fine grained access control for AWS resources, strong encryption and more. Please refer to the Identity Federation for AWS Documentation for details. |
Please refer to the Identity Federation for AWS Administrator's Guide for details on how to configure the connectors.
- this option requires at least one System Scope AWS Connector to be configured within the Identity Federation for AWS add-on
- a connector yields a set of temporary credentials on task execution (optionally limiting the IAM permissions)
- you can configure multiple connectors to provide credentials with different IAM permissions tailored for specific use cases
AWS China (Beijing) Region
| Include Page | ||||
|---|---|---|---|---|
|
AWS GovCloud (US) Region
| Include Page | ||||
|---|---|---|---|---|
|