Integrating Identity Federation for AWS

Identity Federation for AWS is an Amazon Web Services (AWS) integration app that provides Temporary AWS Security Credentials via a REST API – this is a brief guide for developers who want to use AWS services from their own Atlassian apps and integrate the shared AWS credentials management provided by Identity Federation for AWS.

API Limitations

Usage of the REST API requires an active user session, which isn't available during execution of tasks in Bamboo or scheduled tasks in Jira for example.

AWS credentials for such 'system scope' scenarios can be retrieved via the as of yet unpublished Java API (facilitated by Tasks for AWS for example) - please don't hesitate to get in touch, if you are in need for system scoped identity federation with AWS, we are eager to learn more about your use case.

API Compatibility

Identity Federation for AWS strives to support the two latest major API versions to provide an upgrade path:

current (v2.1) – available as of Identity Federation for AWS 2.10
current (v2.0) – available as of Identity Federation for AWS 2.0
deprecated (v1.0)

On this page:

Related pages:

Getting started

The Identity Federation for AWS REST API is based on open standards, so you can use any web development language or command line tool capable of generating an HTTP request to access the API, e.g. the popular cURL (a CLI tool for transferring data with URL syntax) or the highly recommended HTTPie (a CLI, cURL-like tool for humans). All resources can be used like the regular Jira Server REST APIs (or Bitbucket Server REST API, see info below):

REST API Browser

The easiest way to explore and experiment with the Identity Federation for AWS API is by means of the Atlassian REST API Browser, simply select the Identity Federation for AWS resources.

Atlassian REST API Design Guidelines compliance

The Identity Federation for AWS API has been designed with the Atlassian REST API Design Guidelines in mind - however, these are not consistently followed by Atlassian itself and its latest product Stash features an elaborate REST API applying a few more current REST API trends accordingly, which have been applied here as well if in doubt (e.g. using plural for collections rather than singular).

Structure of the REST URIs

The Identity Federation for AWS REST API provides access to resources (data entities) via URI paths. To use the REST API, your application will make an HTTP request and parse the response. The Identity Federation for AWS REST API uses JSON as its communication format, and the standard HTTP methods like GET, PUT, POST and DELETE. URIs for Identity Federation for AWS REST API resources are keyed by the app namespace and have the following structure:

http://host:port/context/rest/identity-federation-for-aws/2.1

REST API v2.1 resources (Identity Federation)

This is the reference of all resources relevant to this apps actual functionality as a token vendor for Identity Federation - refer to the REST API resources (complete reference) if you intent to include this app into administrative automation scenarios (e.g. for scripting).

Resource	URI template	methods	description	permissions	comments
Connectors	This is the main resource for retrieving temporary AWS security credentials.
	/connectors	GET\|POST	Get all AWS connectors.	Configurable	GET is the only required method for the token vendor use case, but POST is available for administration purposes.
	/connectors/{id}	GET\|PUT\|DELETE	Get an AWS connector identified by its id.	Configurable	GET is the only required method for the token vendor use case, but DELETE\|PUT is available for administration purposes.
	/connectors/{id}/caller-identity	GET	Get details about the IAM identity whose credentials are used to call the API.	Configurable
	/connectors/{id}/credentials	GET	Get temporary AWS security credentials via a AWS connector identified by its id.	Configurable	This is the main resource to use for calling AWS services in turn.
	/connectors/{id}/console/url	GET	Get the URL for SSO with the AWS Management Console via a AWS connector identified by its id.	Configurable	The returned URL is not the final one, rather the one to present to users so that following it will yield the SSO with AWS in turn (provided the executing user has permission to use the connector).
	/connectors/{id}/ecr/credentials	GET	Get temporary Amazon ECR authentication credentials via a AWS connector identified by its id.	Configurable	Refer to Amazon EC2 Container Registry (Amazon ECR) authentication credentials for details. In addition to the native AWS API response data, the response also provides the properties `proxyEndpointDomain`, `username` and `password` for convenient usage with the Bamboo Docker task.

/rest/identity-federation-for-aws/2.1/connectors

Methods

GET

Request

GET http://host:port/context/rest/identity-federation-for-aws/2.1/connectors (200)

Response Headers

Server: Apache-Coyote/1.1
X-AREQUESTID: 1384x1779x1
X-ASESSIONID: 1dteqyw
X-Seraph-LoginReason: OK
X-AUSERNAME: admin
Cache-Control: no-cache, no-store, no-transform
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 04 Jun 2013 21:04:32 GMT

Response Body

{
  "values": [
    {
      "id": "1521fbf0-fa97-4c4a-9877-9f0c5e9982d3",
      "name": "Development Team A",
      "type": "FEDERATION_TOKEN",
      "scope": "SYSTEM",
      "partition": "aws",
      "accountId": "afe1e1ca-60e6-471c-aab6-fe1ced186def",
      "roleArn": "",
      "externalId": "",
      "iamPolicy": "",
      "groups": []
    },
    {
      "id": "1f2d5aee-839e-49ae-8a5b-e9ae27a2f2d8",
      "name": "Development Team B",
      "type": "SESSION_TOKEN",
      "scope": "SYSTEM",
      "partition": "aws",
      "accountId": "afe1e1ca-60e6-471c-aab6-fe1ced186def",
      "roleArn": "",
      "externalId": "",
      "iamPolicy": "",
      "groups": []
    },
    {
      "id": "997a2479-a27c-46fc-9397-9a6bff91b7dd",
      "name": "Operations Team",
      "type": "ASSUME_ROLE"
      "scope": "SYSTEM",
      "partition": "aws",
      "accountId": "afe1e1ca-60e6-471c-aab6-fe1ced186def",
      "roleArn": "arn:aws:iam::123456789012:role/S3Access",
      "externalId": "",
      "iamPolicy": "",
      "groups": []
    }
  ],
  "size": 3
}

/rest/identity-federation-for-aws/2.1/connectors/{id}

Methods

GET

Request

GET http://host:port/context/rest/identity-federation-for-aws/2.1/connectors/1521fbf0-fa97-4c4a-9877-9f0c5e9982d3 (200)

Response Headers

Server: Apache-Coyote/1.1
X-AREQUESTID: 1390x1780x1
X-ASESSIONID: 1dteqyw
X-Seraph-LoginReason: OK
X-AUSERNAME: admin
Cache-Control: no-cache, no-store, no-transform
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 04 Jun 2013 21:10:08 GMT

Response Body

{
  "id": "1521fbf0-fa97-4c4a-9877-9f0c5e9982d3",
  "name": "Development Team A",
  "type": "FEDERATION_TOKEN",
  "scope": "SYSTEM",
  "partition": "aws",
  "accountId": "afe1e1ca-60e6-471c-aab6-fe1ced186def",
  "roleArn": "",
  "externalId": "",
  "iamPolicy": "",
  "groups": []
}

/rest/identity-federation-for-aws/2.1/connectors/{id}/caller-identity

Methods

GET

Request

GET http://host:port/context/rest/identity-federation-for-aws/2.1/connectors/1521fbf0-fa97-4c4a-9877-9f0c5e9982d3/caller-identity (200)

Response Headers

Server: Apache-Coyote/1.1
X-Seraph-LoginReason: OK
	Cache-Control: no-cache, no-store, no-transform
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 22 Jul 2016 09:58:31 GMT

Response Body

{
  "account": "248163264128",
  "arn": "arn:aws:sts::248163264128:federated-user/admin",
  "userId": "248163264128:admin"
}

/rest/identity-federation-for-aws/2.1/connectors/{id}/credentials

Methods

GET

Request

GET http://host:port/context/rest/identity-federation-for-aws/2.1/connectors/1521fbf0-fa97-4c4a-9877-9f0c5e9982d3/credentials (200)

Response Headers

Server: Apache-Coyote/1.1
X-AREQUESTID: 1390x1782x1
X-ASESSIONID: 1dteqyw
X-Seraph-LoginReason: OK
X-AUSERNAME: admin
Cache-Control: no-cache, no-store, no-transform
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 04 Jun 2013 21:10:56 GMT

Response Body

{
  "accessKeyId": "ASIJATLAS2XBO2MQ77VQ",
  "secretAccessKey": "FeJioaEdLa0RJsVCSBYAtLaskADEzkq1VFriuJla",
  "sessionToken": "AQoDYXdzEN7//////////wEa8AEmChyr2gLDNxQATlASOWNkI0ORBVCkbPuMdTPQxpQR7NrqxjBo+O13lg2KjKdsxoXfR3fzCG/L0g9k2YQOMWVZjQLkd6cS4F3NL3qa/dtheXaYmcCeUXwJoznMWsXvGV3OQyizKD7hHcQbrYDzJWr1hcoksx03NazuG1xx6uWn8uwcktsyMCwATlasC8tqw6ffozllgQr2eZK1lBPyXWQy7Jwx3EyXLP/rulAhEBE9mrAUzp0xq0Yiekc7I06dSAQT7fBsuHzWoNQ0O8zmX4S35AL+pP+kBzAJZ75qvviNZYmoqXCBcSEOmWLFnyAuCSUg5a+5jQU=",
  "expiration": 1370423461000,
  "partition": "aws"
}

/rest/identity-federation-for-aws/2.1/connectors/{id}/console/url

Methods

GET

Request

GET http://host:port/context/rest/identity-federation-for-aws/2.1/connectors/1521fbf0-fa97-4c4a-9877-9f0c5e9982d3/console/url (200)

Response Headers

Server: Apache-Coyote/1.1
X-AREQUESTID: 764x100x1
X-asessionid: 1ycp90k
X-Seraph-LoginReason: OK
X-ausername: admin
Cache-Control: no-cache, no-store, no-transform
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Mon, 24 Aug 2015 10:44:11 GMT

Response Body

{
  "url":"http://host:port/context/plugins/servlet/identity-federation-for-aws/aws-console-login/1521fbf0-fa97-4c4a-9877-9f0c5e9982d3"
}

/rest/identity-federation-for-aws/2.1/connectors/{id}/ecr/credentials?region={region}

Methods

GET

Request

GET http://host:port/context/rest/identity-federation-for-aws/2.1/connectors/1521fbf0-fa97-4c4a-9877-9f0c5e9982d3/ecr/credentials?region=us-east-1 (200)

Response Headers

Server: Apache-Coyote/1.1
X-AREQUESTID: 764x100x1
X-asessionid: 1ycp90k
X-Seraph-LoginReason: OK
X-ausername: admin
Cache-Control: no-cache, no-store, no-transform
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 16 Feb 2016 16:55:39 GMT

Response Body

{
  "values": [
    {
      "authorizationToken": "QVdTOkNpQndtMFlhSVNKZVJ0Sm01bjFHNnVxZWVrWHVvWFhQATlASmNlOVJxOC8xNHhLU0J3RUJBZ0I0Y0p0R0dpRWlYa2JTWnVaOVJ1cnFubnBGN3FGMXozdVZCWEh2VWF2UDllTUFBQU5wTUlJRFpRWUpLb1pJaHZjTkFRY0dvSUlEVmpDQ0ExSUNBUUF3Z2dOTEJna3Foa2lHOXcwQkJ3RXdIZ1lKWUlaSUFXVURCQUV1TUJFRURLOG43TkNtekd0TU9oZzBEUUlCRUlDQ0F4eEMrK2s3MmF2UlZ2cGZVcGl3bU5vSEYxWXZORHdqZnZoUkc5K1VPL3d2NzNCUUlVVVduRS91bmxHREtrdElzNXFuR2FKNUFldTJET3drSVo4b01pb2hjazhrc2JDRkEraVhZMkkxcmNjaDdmV1hEbVNnYm15ZloyY010UmwrOUdDWk15bVhJelpFd3BhOXI5QUN1NVVzTVhYcHhKTFFVWEZOVVgrdWIwSThFMjFDN1BwRWRWQkl2blFUVVE1ZGttalFqVTlEREUzMStLT2w1eC80Y2pMeWZobU10bzBSc1FsOGVQTTlUYkVJcFZKT2NIelk4K05rakpwZkRUY3ZrUUJYZDRCWlFMMmtZUzhCUC9VeTF0bCs2cVY3MGhrSkpnbTBVQnJBWnhNM0FJc09SZ0Q3TUJ5WXUzZklTemlYV1FHL2s1cG1VTzV5bVlYeTJwenJxTnhnMXNFZk5rUDdGTVZLZklOenlaNUVJZjdNc3JKeDlxTlNOelpYNStVNmNJM052T2pHYkhJSjZxM0YxdWQ0aFNENXcyRUQ2bDZiVWtVS0FvR2cxSmMxaW1UUnBKTWVXWlozSjc0ZU1DL0FwZExzNzZZclNScExVYXVwNHZJQjRkRmptZ2Q1bFNMS2p0NEF5Rjd0S2ZYOG82anJSS2dyRkc5dEExZXl6dW1DdXo0MHZTQkRLQW1WNTlwK2dzYmh1aFVzcWlETWdaUHdBNis0WHNJbno1WE9xM01QaFI4cncxckhPYmxhaUtJbG14RnZFSTQ2R213TTFoSWJnc3RqNXE3cW4vcUpPOTQra1NZY0xoMFVNZWdIZmUxd2dvdjhzaDRBa0VDVG0ydkFaM2dsQmtoU3RDYTlUTGxJZGJZNHl5RVBkaGNsS3g4SDV0MGdPMXZRN3dWNjdrZG54U3JSM1pCTDdtL3VPNmdPS05zc0p4NjlyN1E0Z2k2cjhMU0RHTVEvekV4bGQzcEJxcjNoV1F3RWdEeVBBclg3Yk5wblFLQlVFV2tneW1wcUpOWkpPRUhQR0I5Rm1obDN5ZVYwS0ZWTlVBdzJWTE95ekJrU1JMVFd3OWl6VlF1eVlpSE8zcHFyMlRjczdBVVJIb2FvcFBwWGRlOTJDeFB5ZllranBEazFlMjRVVWxuUW5tY1g0cGcyUWh1VHJoWVdOc2h0MVNWU0NnanJkamhEdURwUDh6UmtzTFJFaWErUE1YZlhnRFFPOUNLK1B4cEJOZE5aQzR0ZHhpMzYrVElkVjNnQjlIcHU4YmxWTllONjgzdEpuN3c0SXRSSUhzY0NGWnRiTnY4UTdBL0dadEN4UGt3YVFkTkREZSt2RG1ia25yVGtmUEJhYzhzclNhTEJMRGJOcGZmajc4QUx0c0lISStuT1VxRDV1VGI3OTljV2dnNytyMDFw",
      "expirationDate": "20160217T045542Z",
      "proxyEndpoint": "https://124816326400.dkr.ecr.us-east-1.amazonaws.com",
      "proxyEndpointDomain": "124816326400.dkr.ecr.us-east-1.amazonaws.com",
      "username": "AWS",
      "password": "CiBwm0YaISJeRtJm5n1G6uqeekXuoXXPe5UFce9Rq8/ATlASBwEBAgB4cJtGGiEiXkbSZuZ9RurqnnpF7qF1z3uVBXHvUavP9eMAAANpMIIDZQYJKoZIhvcNAQcGoIIDVjCCA1ICAQAwggNLBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDK8n7NCmzGtMOhg0DQIBEICCAxxC++k72avRVvpfUpiwmNoHF1YvNDwjfvhRG9+UO/wv73BQIUUWnE/unlGDKktIs5qnGaJ5Aeu2DOwkIZ8oMiohck8ksbCFA+iXY2I1rcch7fWXDmSgbmyfZ2cMtRl+9GCZMymXIzZEwpa9r9ACu5UsMXXpxJLQUXFNUX+ub0I8E21C7PpEdVBIvnQTUQ5dkmjQjU9DDE31+KOl5x/4cjLyfhmMto0RsQl8ePM9TbEIpVJOcHzY8+NkjJpfDTcvkQBXd4BZQL2kYS8BP/Uy1tl+6qV70hkJJgm0UBrAZxM3AIsORgD7MByYu3fISziXWQG/k5pmUO5ymYXy2pzrqNxg1sEfNkP7FMVKfINzyZ5EIf7MsrJx9qNSNzZX5+U6cI3NvOjGbHIJ6q3F1ud4hSD5w2ED6l6bUkUKAoGg1Jc1imTRpJMeWZZ3J74eMC/ApdLs76YrSRpLUaup4vIB4dFjmgd5lSLKjt4AyF7tKfX8o6jrRKgrFG9tA1eyzumCuz40vSBDKAmV59p+gsbhuhUsqiDMgZPwA6+4XsInz5XOq3MPhR8rw1rHOblaiKIlmxFvEI46GmwM1hIbgstj5q7qn/qJO94+kSYcLh0UMegHfe1wgov8sh4AkECTm2vAZ3glBkhStCa9TLlIdbY4yyEPdhclKx8H5t0gO1vQ7wV67kdnxSrR3ZBL7m/uO6gOKNssJx69r7Q4gi6r8LSDGMQ/zExld3pBqr3hWQwEgDyPArX7bNpnQKBUEWkgympqJNZJOEHPGB9Fmhl3yeV0KFVNUAw2VLOyzBkSRLTWw9izVQuyYiHO3pqr2Tcs7AURHoaopPpXde92CxPyfYkjpDk1e24UUlnQnmcX4pg2QhuTrhYWNsht1SVSCgjrdjhDuDpP8zRksLREia+PMXfXgDQO9CK+PxpBNdNZC4tdxi36+TIdV3gB9Hpu8blVNYN683tJn7w4ItRIHscCFZtbNv8Q7A/GZtCxPkwaQdNDDe+vDmbknrTkfPBac8srSaLBLDbNpffj78ALtsIHI+nOUqD5uTb799cWgg7+r01p"
    }
  ],
  "size": 1
}

REST API v2.1 resources (complete reference)

This is the complete reference of all resources available. You usually won't interact with most of these outside of administrative automation scenarios (e.g. for scripting) - please see the REST API resources (Identity Federation) for this apps actual functionality first.

Resource	URI template	methods	status	description	permissions	comments
Accounts	You usually only interact with accounts (access keys) for administrative purposes, please see the Connectors resource instead!
	/accounts	GET\|POST	PUBLIC	Get all accounts (AWS access keys).	Administrator
	/accounts/{id}	GET\|DELETE\|PUT	PUBLIC	Get an account (AWS access keys) identified by its id.	Administrator
Connectors	This is the main resource for retrieving temporary AWS security credentials.
	/connectors	GET\|POST	PUBLIC	Get all AWS connectors.	Configurable	GET is the only required method for the token vendor use case, but POST is available for administration purposes.
	/connectors/{id}	GET\|DELETE\|PUT	PUBLIC	Get an AWS connector identified by its id.	Configurable	GET is the only required method for the token vendor use case, but DELETE\|PUT is available for administration purposes.
	/connectors/{id}/caller-identity	GET	PUBLIC	Get details about the IAM identity whose credentials are used to call the API.	Configurable
	/connectors/{id}/credentials	GET	PUBLIC	Get the temporary AWS security credentials via an AWS connector identified by its id.	Configurable	This is the main resource to use for calling AWS services in turn.
	/connectors/{id}/console/url	GET	PUBLIC	Get the URL for SSO with the AWS Management Console via a AWS connector identified by its id.	Configurable	The returned URL is not the final one, rather the one to present to users so that following it will yield the SSO with AWS in turn (provided the executing user has permission to use the connector).
	/connectors/{id}/ecr/credentials	GET	PUBLIC	Get temporary Amazon ECR authentication credentials via a AWS connector identified by its id.	Configurable	Refer to Amazon EC2 Container Registry (Amazon ECR) authentication credentials for details. In addition to the native AWS API response data, the response also provides the properties `proxyEndpointDomain`, `username` and `password` for convenient usage with the Bamboo Docker task.

Frequently Asked Questions (FAQ)

Atlassian account required

Due to a regression within Questions for Confluence Cloud, you need to log in with your Atlassian ID (or sign up for a new account) to access these automatically curated FAQs (refer to UAA-312 for the background).