AWS Credentials Variables task and Tasks for AWS
The AWS Credentials Variables task complements the dedicated AWS build and deployment tasks offered by Tasks for AWS by providing managed temporary AWS security credentials as Bamboo variables for tools that are not directly integrated with Identity Federation for AWS, but accept AWS credentials via the command line or environment variables, for example the AWS Command Line Interface (AWS CLI).
Usage of the AWS Credentials Variables task is free for Tasks for AWS licensees, see Do I need an Identity Federation for AWS license when using it from another Utoolity app like Automation with AWS or Tasks for AWS? for details.
Configuration
Address limitations with the AWS CLI
The most frequent use case for the AWS Credentials Variables task is to address scenarios not (yet) covered by dedicated tasks, see How to work around limitations with the AWS Command Line Interface (AWS CLI) for details.
To configure an AWS Credentials Variables task:
Navigate to the Tasks configuration tab for the job (this will be the default job if creating a new plan).
Click the name of an existing AWS Credentials Variables task, or click Add Task and then AWS Credentials Variables to create a new task.
Complete the following settings:
Task Description | (Optional) Identify the purpose of the task. |
Disable this task | Check, or clear, to selectively run this task. |
Add Caller Identity | Check to add variables with details about the IAM identity whose credentials are used to call the API (see get-caller-identity). Clear to skip the additional API call required to retrieve these details. |
Bamboo Variables | |
Namespace | Provide the namespace for generated variables |
Scope | Select the scope for generated variables:
|
AWS Security Credentials | |
Source | Select the AWS Credentials Source (see below). Can be either Identity Federation for AWS or an IAM Role for EC2. |
Connector | (Conditional) Select the shared Identity Federation for AWS Connector. Alternatively, select [Use connector variable ...] to supply the connector dynamically via Bamboo variables (needs to be a connector id such as |
Role ARN | (Conditional | Optional) Specify the ARN of another role that the agent's IAM role for EC2 should assume. |
AWS Credentials Sources
IAM Policy
The AWS Credentials Variables task requires IAM permissions to retrieve temporary security credentials via the AWS Security Token Service (STS) - an all-encompassing policy might look as follows:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:GetFederationToken", "sts:GetSessionToken" ], "Resource": [ "*" ] } ] }
Refer to Granting Permissions to Create Temporary Security Credentials for details on how to create more granular/secure policies, for example:
remove permissions for any Action allowing unused principal types
further restrict permissions via more specific Resource declarations
You have the following options to provide AWS Security Credentials:
Identity Federation for AWS
Federated Amazon Web Services access
This is the recommended approach to share and manage AWS credentials:
- It provides benefits like easy credentials sharing and reuse, fine grained access control for AWS resources, strong encryption and more.
Refer to the Administering Identity Federation for AWS for details on how to configure the connectors.
- this option requires at least one AWS Connector to be configured with System Scope to allow usage from Bamboo builds, where no user session is available
- a connector yields a set of temporary credentials on task execution (optionally limiting the IAM permissions)
- you can configure multiple connectors to provide credentials with different IAM permissions tailored for specific use cases
IAM Role for EC2 (Agent)
You can use IAM Roles for Amazon EC2 to optionally skip credentials configuration all together: if an agent happens to run on an EC2 instance started with an instance profile (IAM role), the tasks can be configured to facilitate those credentials. Of course, the underlying IAM role needs to have sufficient permissions for the task at hand.
This credentials source requires the agent to be running on an Amazon EC2 instance started with an instance profile, which yields three scenarios:
- local agent - requires the hosting Bamboo server itself to run on EC2
- remote agent - requires the remote agent to run on EC2
- elastic agent - requires the elastic agent to run on EC2
- You can optionally specify the ARN of another role that the agent's IAM role for EC2 should assume via the instance profile credentials - this enables various scenarios, notably switching to roles across your own AWS accounts and third-party.AWS accounts (cross-account IAM roles).
Usage
Bamboo variables
This task generates the following Bamboo variables for reuse in subsequent tasks without native integration with Identity Federation for AWS:
Bamboo variables
${bamboo.custom.aws.accessKeyId} ${bamboo.custom.aws.secretAccessKey.password} ${bamboo.custom.aws.sessionToken.password} ${bamboo.custom.aws.connector.id} ${bamboo.custom.aws.connector.name} # Optional: the callerIdentity namespace is only present when option 'Add Caller Identity' is checked. ${bamboo.custom.aws.callerIdentity.account} ${bamboo.custom.aws.callerIdentity.arn} ${bamboo.custom.aws.callerIdentity.userId}
The '
*.password
' suffix ensures that these sensitive variables are masked with asterisks ('*******') in the Bamboo build log.
An alternative representation as a JSON object for automated processing with tools like jq is available too:
Bamboo variables (alternative representations)
${bamboo.custom.aws.credentials.json.password} # Optional: the callerIdentity namespace is only present when option 'Add Caller Identity' is checked. ${bamboo.custom.aws.callerIdentity.json}
Environment variables
Aforementioned variables will also be available as environment variables for use in Bamboo Script tasks. The syntax differs between shells, as illustrated in these examples for assigning them to the standardized variables used by tools like the AWS Command Line Interface (AWS CLI):
Bash (Unix shell)
export AWS_ACCESS_KEY_ID=$bamboo_custom_aws_accessKeyId export AWS_SECRET_ACCESS_KEY=$bamboo_custom_aws_secretAccessKey_password export AWS_SESSION_TOKEN=$bamboo_custom_aws_sessionToken_password
PowerShell
$Env:AWS_ACCESS_KEY_ID = $Env:bamboo_custom_aws_accessKeyId $Env:AWS_SECRET_ACCESS_KEY = $Env:bamboo_custom_aws_secretAccessKey_password $Env:AWS_SESSION_TOKEN = $Env:bamboo_custom_aws_sessionToken_password
Windows Command Prompt (cmd)
set AWS_ACCESS_KEY_ID=%bamboo_custom_aws_accessKeyId% set AWS_SECRET_ACCESS_KEY=%bamboo_custom_aws_secretAccessKey_password% set AWS_SESSION_TOKEN=%bamboo_custom_aws_sessionToken_password%
How-to Articles
Frequently Asked Questions (FAQ)
Atlassian account required