admin管理员组

文章数量:1317898

I have SemaphoreCI anization let it be: eXamPle.semaphoreci. There is the project in this anization named: pRojeCt. This project is connected to github repository: github/OrgName/pRojeCt. I want to establish the connection with AWS cloud on SemaphoreCI pipeline within OIDC token. I have created the IAM role with needed permissions which arn is equal to arn:aws:iam::123456789012:role/SEMAPHORE-CI-ROLE. I have set trust policy for this role:

"Condition": {
    "StringEquals": {
        "eXamPle.semaphoreci:aud": ";
    },
    "StringLike": {
        "eXamPle.semaphoreci:sub": ":eXamPle:project:231ddr13-2d2b-876g-3d75-123r4u1ht6y9:repo:OrgName/pRojeCt:ref_type:branch:ref:refs/heads/*"
    }
}

I have added such commands to the Semaphore job:

jobs:
  - name: "Test IAM role connection"
    commands:
      - checkout
      - export ROLE_ARN="arn:aws:iam::123456789012:role/SEMAPHORE-CI-ROLE"
      - export SESSION_NAME="semaphore-job-$SEMAPHORE_JOB_ID"
      - export CREDENTIALS=$(aws sts assume-role-with-web-identity --role-arn $ROLE_ARN --role-session-name $SESSION_NAME --web-identity-token $SEMAPHORE_OIDC_TOKEN)
      - export AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | jq -r '.Credentials.AccessKeyId')
      - export AWS_SESSION_TOKEN=$(echo $CREDENTIALS | jq -r '.Credentials.SessionToken')
      - export AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | jq -r '.Credentials.SecretAccessKey')
      - aws sts get-caller-identity

But aws sts get-caller-identity returns Unable to locate credentials. You can configure credentials by running "aws configure". error. I tried to echo $SEMAPHORE_OIDC_TOKEN variable but it's empty. What I'm doing wrong?

I have SemaphoreCI anization let it be: eXamPle.semaphoreci. There is the project in this anization named: pRojeCt. This project is connected to github repository: github/OrgName/pRojeCt. I want to establish the connection with AWS cloud on SemaphoreCI pipeline within OIDC token. I have created the IAM role with needed permissions which arn is equal to arn:aws:iam::123456789012:role/SEMAPHORE-CI-ROLE. I have set trust policy for this role:

"Condition": {
    "StringEquals": {
        "eXamPle.semaphoreci:aud": "https://eXamPle.semaphoreci"
    },
    "StringLike": {
        "eXamPle.semaphoreci:sub": ":eXamPle:project:231ddr13-2d2b-876g-3d75-123r4u1ht6y9:repo:OrgName/pRojeCt:ref_type:branch:ref:refs/heads/*"
    }
}

I have added such commands to the Semaphore job:

jobs:
  - name: "Test IAM role connection"
    commands:
      - checkout
      - export ROLE_ARN="arn:aws:iam::123456789012:role/SEMAPHORE-CI-ROLE"
      - export SESSION_NAME="semaphore-job-$SEMAPHORE_JOB_ID"
      - export CREDENTIALS=$(aws sts assume-role-with-web-identity --role-arn $ROLE_ARN --role-session-name $SESSION_NAME --web-identity-token $SEMAPHORE_OIDC_TOKEN)
      - export AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | jq -r '.Credentials.AccessKeyId')
      - export AWS_SESSION_TOKEN=$(echo $CREDENTIALS | jq -r '.Credentials.SessionToken')
      - export AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | jq -r '.Credentials.SecretAccessKey')
      - aws sts get-caller-identity

But aws sts get-caller-identity returns Unable to locate credentials. You can configure credentials by running "aws configure". error. I tried to echo $SEMAPHORE_OIDC_TOKEN variable but it's empty. What I'm doing wrong?

  • amazon-web-services
  • github
  • openid-connect
  • semaphore-ci
Share Improve this question edited Jan 22 at 15:48 ChoosenOne asked Jan 22 at 15:26 ChoosenOneChoosenOne 396 bronze badges 5
  • This looks more like a question for devops.stackexchange or serverfault – tevemadar Commented Jan 22 at 16:26
  • @tevemadar There is no DevOps on stackoverflow? – ChoosenOne Commented Jan 22 at 16:47
  • Historically there are questions like this here, just now there exists a specific site for the topic. – tevemadar Commented Jan 22 at 17:01
  • my hunch is that your commands run in different shells, like a make job, not in the shared shell. And the shell probably isn't configured to exit on command failures or undefined variables. – erik258 Commented Jan 22 at 17:55
  • The first question you should be asking yourself is, did aws sts assume-role-with-web-identity work. Then you can answer the other questions based on how semaphore commands are implemented. – erik258 Commented Jan 22 at 17:56
Add a comment  | 

1 Answer 1

Reset to default -1

Ok, sorry, guys! I'm not sure if Trust policy is OK but our team has Startup billing plan which doesn't support OIDC for now...

BTW Someone had given the answer regarding checking the billing plan but he removed it for some reason...

UPDATE: After our team switched to Scaleup billing plan, we have modified trust relatioship a bit:

    "StringLike": {
        "eXamPle.semaphoreci:sub": ":eXamPle:project:231ddr13-2d2b-876g-3d75-123r4u1ht6y9:repo:pRojeCt:ref_type:branch:ref:refs/heads/*"
}

SemaphoreCI has successfully connected to AWS!

本文标签: amazon web servicesSemaphoreCI OIDC AWS connectionStack Overflow

版权声明:本文标题:amazon web services - SemaphoreCI OIDC AWS connection - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742036337a2417314.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。