| Div | ||
|---|---|---|
| ||
You can use the AWS Credentials Variables task to provide managed temporary AWS security credentials for other tools by injecting them into AWS unaware tasks like the Bamboo Script task. This improves versatility for using tools that are not directly integrated with Identity Federation for AWS, but accept AWS credentials via the command line or environment variables.
| Include Page | ||||
|---|---|---|---|---|
|
| Panel | ||||
|---|---|---|---|---|
| ||||
On this page:
|
| Panel | ||||
|---|---|---|---|---|
| ||||
Related Pages:
|
Configuration
| Tip | ||
|---|---|---|
| ||
The most frequent use case for the AWS Credentials Variables task is to address scenarios not (yet) covered by dedicated tasks, see How to work around limitations with the AWS Command Line Interface (AWS CLI) for details. |
To configure an AWS Credentials Variables task:
- Navigate to the Tasks configuration tab for the job (this will be the default job if creating a new plan).
- Click the name of an existing AWS Credentials Variables task, or click Add Task and then AWS Credentials Variables to create a new task.
Complete the following settings:
sharedTask Description (Optional) Identify the purpose of the task. Disable this task Check, or clear, to selectively run this task.
Source Select the AWS Credentials Source (see below). Can be either Identity Federation for AWS or an IAM Role for EC2. Connector (Conditional) Select the
See also AWS Security Credentials Variationsshared Identity Federation for AWS Connector.
Alternatively, select [Use connector variable ...] to supply the connector dynamically via Bamboo variables (needs to be a connector id such as
f24e81bc-7aff-42db-86a2-7cf82e24d871) - refer to How to parametrize the AWS connector via a Bamboo variable for details.
AWS Credentials Sources
You currently have two option to provide AWS Security Credentials:
Identity Federation for AWS
| Tip | ||
|---|---|---|
| ||
This is the recommended approach to share and manage AWS credentials:
|
Refer to the Administrator's Guide for details on how to configure the connectors.
this option requires at least one AWS Connector to be configured with System Scope to allow usage from Bamboo builds, where no user session is available- a connector yields a set of temporary credentials on task execution (optionally limiting the IAM permissions)
- you can configure multiple connectors to provide credentials with different IAM permissions tailored for specific use cases
IAM Role for EC2 (Agent)
You can use IAM Roles for Amazon EC2 to optionally skip credentials configuration all together: if an agent happens to run on an EC2 instance started with an instance profile (IAM role), the tasks can be configured to facilitate those credentials. Of course, the underlying IAM role needs to have a sufficient policy attached to grant the the required permissions for the task at hand.
This feature requires the Amazon EC2 instance running the agent to be started with an EC2 instance profile. There are three different scenarios:
- local agents - requires the hosting Bamboo server itself to run on EC2
- remote/elastic agents - requires the remote agent to run on EC2
- elastic agents - requires the elastic agent to run on EC2
Elastic Bamboo only supports configuring elastic images with an instance profile as of Bamboo 5.6.
Usage
Bamboo variables
This task generates the following Bamboo variables for reuse in subsequent tasks without native integration with Identity Federation for AWS:
| Code Block | ||||
|---|---|---|---|---|
| ||||
${bamboo.custom.aws.accessKeyId}
${bamboo.custom.aws.secretAccessKey.password}
${bamboo.custom.aws.sessionToken.password}
# alternative representation
as JSON object:
${bamboo.custom.aws.credentials.json.password} |
- The '*.password' suffix ensures that these sensitive variables are masked with asterisks ('*******') in the Bamboo build log.
An alternative representation as a JSON object for automated processing with tools like jq is available too:
| Code Block | ||||
|---|---|---|---|---|
| ||||
${bamboo.custom.aws.credentials.json.password} |
Environment variables
Aforementioned variables will also be available as environment variables for use in Bamboo Script tasks - the . The syntax differs between shells, as illustrated in these examples for assigning them to the standardized variables used by tools like the AWS Command Line Interface (AWS CLI):
| Code Block | ||||
|---|---|---|---|---|
| ||||
${bamboo.custom.aws.accessKeyId} ${bamboo.custom.aws.secretAccessKey.password} ${bamboo.custom.aws.sessionToken.password} # alternative representation as JSON object: ${bamboo.custom.aws.credentials.json.password}export AWS_ACCESS_KEY_ID=$bamboo_custom_aws_accessKeyId export AWS_SECRET_ACCESS_KEY=$bamboo_custom_aws.secretAccessKey_password export AWS_SESSION_TOKEN=$bamboo_custom_aws_sessionToken_password |
| Code Block | ||||
|---|---|---|---|---|
| ||||
$AWS_ACCESS_KEY_ID = $bamboo_custom_aws_accessKeyId $bamboo$AWS_customSECRET_aws_secretAccessKey_passwordACCESS_KEY = $bamboo_custom_aws_sessionTokensecretAccessKey_password # alternative representation as JSON object: $AWS_SESSION_TOKEN = $bamboo_custom_aws_credentials_jsonsessionToken_password |
| Code Block | ||||
|---|---|---|---|---|
| ||||
set AWS_ACCESS_KEY_ID=%bamboo_custom_aws_accessKeyId% set %bambooAWS_customSECRET_aws_secretAccessKey_password% ACCESS_KEY=%bamboo_custom_aws_sessionTokensecretAccessKey_password% REM alternative representation as JSON object: set AWS_SESSION_TOKEN=%bamboo_custom_aws_credentials_jsonsessionToken_password% |
How-to Articles
| Filter by label (Content by label) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Frequently Asked Questions (FAQ)
| Questionslist macro | ||||||||
|---|---|---|---|---|---|---|---|---|
|