The following macros are not currently supported in the header:
  • unmigrated-wiki-markup

Documentation for Identity Federation for AWS 2.5 – other releases are available in the Identity Federation for AWS Documentation Directory.
View

Unknown macro: {spacejump}

or visit the current documentation home.

Providing AWS Security Credentials

Owned by Steffen Opel [Utoolity]
Last updated: 04.10.2016Version comment

In order to provide temporary AWS security credentials for other add-ons via a REST API and Single Sign-On (SSO) to the AWS Management Console, you need to provide long term AWS security credentials within Identity Federation for AWS.

No Charge

Usage of Identity Federation for AWS is free for licensees of other Utoolity add-ons that integrate them, see the Licensing & Purchasing FAQ for details.

As of release 2.2, Identity Federation for AWS (Bamboo) also features an AWS Credentials Variables task to provide shared AWS Security Credentials for subsequent tasks without native integration with Identity Federation for AWS.

On this page:

AWS Credentials Sources

You have the following options to provide AWS Security Credentials:

Identity Federation for AWS

Federated Amazon Web Services access

This is the recommended approach to share and manage AWS credentials:

  • It provides benefits like easy credentials sharing and reuse, fine grained access control for AWS resources, strong encryption and more.

Refer to the Administrator's Guide for details on how to configure the connectors.

  • (info) this option requires at least one AWS Connector to be configured with System Scope to allow usage from Bamboo builds, where no user session is available
  • a connector yields a set of temporary credentials on task execution (optionally limiting the IAM permissions)
  • you can configure multiple connectors to provide credentials with different IAM permissions tailored for specific use cases

IAM Role for EC2 (Agent)

You can use IAM Roles for Amazon EC2 to optionally skip credentials configuration all together: if an agent happens to run on an EC2 instance started with an instance profile (IAM role), the tasks can be configured to facilitate those credentials. Of course, the underlying IAM role needs to have a sufficient policy attached to grant the the required permissions for the task at hand.


This feature requires the Amazon EC2 instance running the agent to be started with an EC2 instance profile. There are three different scenarios:

  • local agents - requires the hosting Bamboo server itself to run on EC2
  • remote/elastic agents - requires the remote agent to run on EC2
  • elastic agents - requires the elastic agent to run on EC2
    • (lightbulb) As of release 2.4, you can optionally specify the ARN of another role that the agent's IAM role for EC2 should assume via the EC2 instance profile credentials - this enables various scenarios, notably switching to roles across your own AWS accounts and third-party.AWS accounts (cross-account IAM roles).
    • (warning) Elastic Bamboo only supports configuring elastic images with an instance profile as of Bamboo 5.6.

AWS China (Beijing) Region

The AWS China (Beijing) Region is an API compatible, but otherwise isolated AWS Region designed to allow China-based and multinational companies to make use of a broad collection of AWS services while remaining in compliance with China's legal and regulatory requirements.

The AWS China (Beijing) Region is supported as such, however:

  • The cn-north-1 region requires dedicated credentials, see Announcing the AWS China (Beijing) Region: "Customers who wish to use the new Beijing Region are required to sign up for a separate set of account credentials unique to the China (Beijing) Region. Customers with existing AWS credentials will not be able to access resources in the new Region, and vice versa."
  • Due to being a non China-based company, we are not currently in the position to test this add-on with the AWS China (Beijing) Region directly. However, the API is compatible in general and this add-on should just work accordingly - please get in touch if things do not work as intended, we are very interested to collaborate on the necessary adjustments.

 

 

AWS GovCloud (US) Region

The AWS GovCloud (US) Region is an API compatible, but otherwise isolated AWS Region designed to allow US government agencies and customers to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements).

The AWS GovCloud (US) Region is an opt-in Labs Feature and not supported yet:

  • The us-gov-west-1 region requires dedicated credentials, see How do Government agencies, contractors and customers access the AWS GovCloud (US) Region?: "Customers cannot sign up for AWS GovCloud (US) through the traditional, online AWS sign up process. AWS must engage with the customer directly to sign an agreement specific to the AWS GovCloud (US) Region. [...]"
  • Due to being a non US company, we are not currently in the position to test this add-on with the AWS GovCloud (US) Region directly. However, the API is compatible in general and we have done our best to address the documented differences - please get in touch if things do not work as intended, we are very interested to collaborate on the necessary adjustments.

Atlassian®, Atlassian Bamboo®, Bitbucket®, Atlassian Crowd®, Confluence®, Jira®, Jira Service Management™, Opsgenie®, and Statuspage™ are registered trademarks of Atlassian.
Amazon Web Services™, AWS™ and the “Powered by Amazon Web Services” logo are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.

Utoolity® is a registered trademark of Utoolity GmbH.
© 2024 Utoolity GmbH. All rights reserved.