You can use the AWS Credentials Variables task to provide managed temporary AWS security credentials for other tools by injecting them into AWS unaware tasks like the Bamboo Script task. This improves versatility for using tools that are not directly integrated with Identity Federation for AWS, but accept AWS credentials via the command line or environment variables.

AWS Credentials Variables task and Tasks for AWS

The AWS Credentials Variables task complements the dedicated AWS build and deployment tasks offered by Tasks for AWS by providing managed temporary AWS security credentials as Bamboo variables for tools that are not directly integrated with Identity Federation for AWS, but accept AWS credentials via the command line or environment variables, for example the AWS Command Line Interface (AWS CLI).

Usage of the AWS Credentials Variables task is free for Tasks for AWS licensees, see the Licensing & Purchasing FAQ for details.

On this page:

Related Pages:

Identity Federation for AWS
- Administrator's Guide
Tasks for AWS
- AWS Security Credentials
- Using Tasks for AWS
Atlassian Bamboo
- Configure a Bamboo task to use a script executable
- Configure a Bamboo task to inject variables

Configuration

Address limitations with the AWS CLI

The most frequent use case for the AWS Credentials Variables task is to address scenarios not (yet) covered by dedicated tasks, see How to work around limitations with the AWS Command Line Interface (AWS CLI) for details.

To configure an AWS Credentials Variables task:

Navigate to the Tasks configuration tab for the job (this will be the default job if creating a new plan).
Click the name of an existing AWS Credentials Variables task, or click Add Task and then AWS Credentials Variables to create a new task.

Complete the following settings:

Task Description	(Optional) Identify the purpose of the task.
Disable this task	Check, or clear, to selectively run this task.
Source	Select the AWS Credentials Source (see below). Can be either Identity Federation for AWS or an IAM Role for EC2.
Connector	(Conditional) Select the shared Identity Federation for AWS Connector. Alternatively, select [Use connector variable ...] to supply the connector dynamically via Bamboo variables (needs to be a connector id such as `f24e81bc-7aff-42db-86a2-7cf82e24d871`) - refer to How to parametrize the AWS connector via a Bamboo variable for details.

AWS Credentials Sources

You currently have two option to provide AWS Security Credentials:

Identity Federation for AWS

Federated Amazon Web Services access

This is the recommended approach to share and manage AWS credentials:

It provides benefits like easy credentials sharing and reuse, fine grained access control for AWS resources, strong encryption and more.

Refer to the Administrator's Guide for details on how to configure the connectors.

this option requires at least one AWS Connector to be configured with System Scope to allow usage from Bamboo builds, where no user session is available
a connector yields a set of temporary credentials on task execution (optionally limiting the IAM permissions)
you can configure multiple connectors to provide credentials with different IAM permissions tailored for specific use cases

IAM Role for EC2 (Agent)

You can use IAM Roles for Amazon EC2 to optionally skip credentials configuration all together: if an agent happens to run on an EC2 instance started with an instance profile (IAM role), the tasks can be configured to facilitate those credentials. Of course, the underlying IAM role needs to have a sufficient policy attached to grant the the required permissions for the task at hand.

This feature requires the Amazon EC2 instance running the agent to be started with an EC2 instance profile. There are three different scenarios:

local agents - requires the hosting Bamboo server itself to run on EC2
remote/elastic agents - requires the remote agent to run on EC2
elastic agents - requires the elastic agent to run on EC2
- Elastic Bamboo only supports configuring elastic images with an instance profile as of Bamboo 5.6.

Usage

Bamboo variables

This task generates the following Bamboo variables for reuse in subsequent tasks without native integration with Identity Federation for AWS:

Bamboo variables

${bamboo.custom.aws.accessKeyId}
${bamboo.custom.aws.secretAccessKey.password}
${bamboo.custom.aws.sessionToken.password}

The '*.password' suffix ensures that these sensitive variables are masked with asterisks ('*******') in the Bamboo build log.

An alternative representation as a JSON object for automated processing with tools like jq is available too:

Bamboo variables (alternative representations)

${bamboo.custom.aws.credentials.json.password}

Environment variables

Aforementioned variables will also be available as environment variables for use in Bamboo Script tasks. The syntax differs between shells, as illustrated in these examples for assigning them to the standardized variables used by tools like the AWS Command Line Interface (AWS CLI):

Bash (Unix shell)

export AWS_ACCESS_KEY_ID=$bamboo_custom_aws_accessKeyId
export AWS_SECRET_ACCESS_KEY=$bamboo_custom_aws_secretAccessKey_password
export AWS_SESSION_TOKEN=$bamboo_custom_aws_sessionToken_password

PowerShell

$AWS_ACCESS_KEY_ID = $bamboo_custom_aws_accessKeyId
$AWS_SECRET_ACCESS_KEY = $bamboo_custom_aws_secretAccessKey_password
$AWS_SESSION_TOKEN = $bamboo_custom_aws_sessionToken_password

Windows Command Prompt (cmd)

set AWS_ACCESS_KEY_ID=%bamboo_custom_aws_accessKeyId%
set AWS_SECRET_ACCESS_KEY=%bamboo_custom_aws_secretAccessKey_password%
set AWS_SESSION_TOKEN=%bamboo_custom_aws_sessionToken_password%

How-to Articles

Questions:
Can I use the Amazon EC2 Container Registry (ECR) with the built-in Bamboo Docker task?
Page:
Can I use the Amazon EC2 Container Registry (ECR) with the built-in Bamboo Docker task?
Page:
How do I ensure I set up my AWS account securely? — Learn about this recent AWS solution in How do I ensure I set up my AWS account securely?:
AWS provides many account-level security options and tools that allow customers to meet their security objectives and implement the appropriate controls for their business functions. This webpage provides baseline security guidance for AWS accounts to help customers gain confidence that they have securely set up and initialized an account according to AWS best practices. For additional security guidance on managing multiple AWS accounts, see the AWS Multiple Account Security Strategy Solution Brief.
The following sections assume basic knowledge of AWS accounts, AWS Identity and Access Management (IAM), AWS CloudTrail, Amazon CloudWatch, AWS Config, and Amazon Simple Storage Service (Amazon S3).
[...]
AWS Answers related to Utoolity apps

Our AWS Answers collection provides a curated set of links to AWS solutions related to Utoolity apps in the Atlassian Marketplace.
Page:
How do I manage multiple AWS accounts for billing purposes? — Learn about this recent AWS solution in How do I manage multiple AWS accounts for billing purposes?:
Amazon Web Services (AWS) enables customers to achieve significant gains in productivity, innovation, and cost reduction when they move to the AWS cloud. AWS offers a variety of services and features that allow for flexible control of cloud computing resources and also of the AWS account(s) managing those resources. These options help to ensure proper cost allocation, agility, and security, however customers are sometimes unsure of how to best implement an account strategy—especially when working with multiple AWS accounts. This webpage provides customers with account-level considerations, best practices, and high-level strategic guidance to help customers use AWS Organizations to structure and manage multiple AWS accounts for billing purposes. For information about organizing multiple accounts for security purposes, see the AWS Multiple Account Security Strategy Solution Brief.
[...]
AWS Answers related to Utoolity apps

Our AWS Answers collection provides a curated set of links to AWS solutions related to Utoolity apps in the Atlassian Marketplace.
Page:
How do I manage multiple AWS accounts for security purposes? — Learn about this recent AWS solution in How do I manage multiple AWS accounts for security purposes?:
Amazon Web Services (AWS) is designed to enable customers to achieve huge gains in productivity, innovation, and cost reduction when they move to the AWS cloud. AWS offers a variety of services and features that allow for flexible control of cloud computing resources and also of the AWS account(s) managing those resources. On the account level, these options are designed to help provide proper cost allocation, agility, and security, however customers are sometimes unsure of how to best implement an account strategy—especially when working with multiple AWS accounts. This webpage provides customers with account-level considerations, best practices, and high-level strategic guidance to help structure and manage multiple AWS accounts for security purposes. It also introduces a prescriptive, automated AWS solution that uses AWS Directory Service to authenticate with existing credentials, helping customers implement an identity-based security structure for their AWS accounts. For information about organizing multiple accounts for billing purposes, see the AWS Multiple Account Billing Strategy Solution Brief.
[...]
AWS Answers related to Utoolity apps

Our AWS Answers collection provides a curated set of links to AWS solutions related to Utoolity apps in the Atlassian Marketplace.
Page:
How do I set up IAM for my organization? — Learn about this recent AWS solution in How do I set up IAM for my organization?:
AWS Identity and Access Management (IAM) is a powerful and flexible web service for controlling access to AWS resources. IAM enables customers to leverage the agility and efficiency of the cloud while maintaining secure control of their organization’s AWS infrastructure. IAM Administrators new to AWS can be sometimes overwhelmed by the options available as they face competing goals: securing the environment while quickly enabling new users to accomplish their jobs. Further complicating the task, the initial controls they implement must grow and adapt without disrupting productivity as the company navigates its path to the cloud
This webpage provides best practices and guidance to help IAM administrators quickly establish an initial set of controls that protect their infrastructure, empower users, and allow for growth and change in their organization’s use of AWS. The following sections assume a working knowledge of how to configure the IAM service.
[...]
AWS Answers related to Utoolity apps

Our AWS Answers collection provides a curated set of links to AWS solutions related to Utoolity apps in the Atlassian Marketplace.
Page:
How to parametrize the AWS connector via a Bamboo variable
Page:
How to parametrize the AWS region via a Bamboo variable

Browser not supported