Versions Compared

Old Version 37

changes.mady.by.user Jana Lehmann [Utoolity]

Saved on

compared with

New Version Current

changes.mady.by.user Steffen Opel [Utoolity]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Fixed typo.
Excerpt

Use the AWS Credentials Variables task to provide managed temporary AWS security credentials for other tools by injecting them into AWS unaware tasks like the Bamboo Script task. This improves versatility for using tools that are not directly integrated with Identity Federation for AWS, but accept AWS credentials via the command line, environment variables or the Bamboo task configuration interface.


On this page:

Table of Contents
maxLevel3

Related Pagespages:

Include Page
_TasksForAWSNote
_TasksForAWSNote

Configuration

Tip

Address limitations with the AWS CLI

The most frequent use case for the AWS Credentials Variables task is to address scenarios not (yet) covered by dedicated tasks, see How to work around limitations with the AWS Command Line Interface (AWS CLI) for details.

To configure an AWS Credentials Variables task:

  1. Navigate to the Tasks configuration tab for the job (this will be the default job if creating a new plan).

  2. Click the name of an existing AWS Credentials Variables task, or click Add Task and then AWS Credentials Variables to create a new task.


Complete the following settings:

Task Description

(Optional) Identify the purpose of the task.

Disable this task

Check, or clear, to selectively run this task.

Add Caller Identity

Check to add variables with details about the IAM identity whose credentials are used to call the API (see get-caller-identity). Clear to skip the additional API call required to retrieve these details.

Bamboo Variables


Namespace

Provide the namespace for generated variables

Scope

Select the scope for generated variables:

  • Local – Variables will only be available in this job

  • Result – Variables will be available in subsequent plan stages and deployment releases

AWS Security Credentials


Source

Select the AWS Credentials Source (see below). Can be either Identity Federation for AWS or an IAM Role for EC2.

Connector

(Conditional) Select the shared Identity Federation for AWS Connector. Alternatively, select [Use connector variable ...] to supply the connector dynamically via Bamboo variables (needs to be a connector id such as f24e81bc-7aff-42db-86a2-7cf82e24d871) - refer to How to parametrize the AWS connector via a Bamboo variable for details.

Role ARN

(Conditional | Optional) Specify the ARN of another role that the agent's IAM role for EC2 should assume.

AWS Credentials Sources

(info) IAM Policy

The AWS Credentials Variables task requires IAM permissions to retrieve temporary security credentials via the AWS Security Token Service (STS) - an all-encompassing policy might look as follows:

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "sts:GetFederationToken",
                "sts:GetSessionToken"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

(info) Refer to Granting Permissions to Create Temporary Security Credentials for details on how to create more granular/secure policies, for example:

  • remove permissions for any Action allowing unused principal types

  • further restrict permissions via more specific Resource declarations

You have the following options to provide AWS Security Credentials:

Include Page
_IdentityFederationForAWSConnector
_IdentityFederationForAWSConnector
Include Page
_IAMRolesForEC2
_IAMRolesForEC2

Usage

Bamboo variables

This task generates the following Bamboo variables for reuse in subsequent tasks without native integration with Identity Federation for AWS:

Bamboo variables
Code Block
languagebash
${bamboo.custom.aws.accessKeyId}
${bamboo.custom.aws.secretAccessKey.password}
${bamboo.custom.aws.sessionToken.password}
${bamboo.custom.aws.connector.id}
${bamboo.custom.aws.connector.name}

# Optional: the callerIdentity namespace is only present when option 'Add Caller Identity' is checked.
${bamboo.custom.aws.callerIdentity.account}
${bamboo.custom.aws.callerIdentity.arn}
${bamboo.custom.aws.callerIdentity.userId} 

  • (info) The '*.password' suffix ensures that these sensitive variables are masked with asterisks ('*******') in the Bamboo build log.

An alternative representation as a JSON object for automated processing with tools like jq is available too:

Bamboo variables (alternative representations)
Code Block
languagebash
${bamboo.custom.aws.credentials.json.password}

# Optional: the callerIdentity namespace is only present when option 'Add Caller Identity' is checked.
${bamboo.custom.aws.callerIdentity.json}

Environment variables

Aforementioned variables will also be available as environment variables for use in Bamboo Script tasks. The syntax differs between shells, as illustrated in these examples for assigning them to the standardized variables used by tools like the AWS Command Line Interface (AWS CLI):

Bash (Unix shell)
Code Block
languagebash
export AWS_ACCESS_KEY_ID=$bamboo_custom_aws_accessKeyId
export AWS_SECRET_ACCESS_KEY=$bamboo_custom_aws_secretAccessKey_password
export AWS_SESSION_TOKEN=$bamboo_custom_aws_sessionToken_password

PowerShell

Code Block
languagepowershell
$Env:AWS_ACCESS_KEY_ID = $Env:bamboo_custom_aws_accessKeyId
$Env:AWS_SECRET_ACCESS_KEY = $Env:bamboo_custom_aws_secretAccessKey_password
$Env:AWS_SESSION_TOKEN = $Env:bamboo_custom_aws_sessionToken_password

Windows Command Prompt (cmd)

Code Block
languagediff
set AWS_ACCESS_KEY_ID=%bamboo_custom_aws_accessKeyId%
set AWS_SECRET_ACCESS_KEY=%bamboo_custom_aws_secretAccessKey_password%
set AWS_SESSION_TOKEN=%bamboo_custom_aws_sessionToken_password%

How-to Articles

Filter by label (Content by label)
max8
showSpacefalse
sorttitle
excerptTypesimple
cqllabel in ( "aws-cli" , "aws-iam" , "aws-credentials" ) and label in ( "kb-how-to-article" , "kb-troubleshooting-article" ) and label = "variables"

Frequently Asked Questions (FAQ)

Include Page
UAA:_FAQHeaderQuestionsForConfluence
UAA:_FAQHeaderQuestionsForConfluence
Questionslist macro
filterpopular
asktrue
limit8
topicaws-credentials