Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assume role instructions #37

Merged
merged 4 commits into from
Mar 22, 2024
Merged

Assume role instructions #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c59b1c3
keep creds out of git
socraticDevBlog Mar 22, 2024
4d90fc9
script aws assume-role rigmarole
socraticDevBlog Mar 22, 2024
0112a7a
update maintainers readme creds
socraticDevBlog Mar 22, 2024
79eb26e
update gitignore for assumerole script
socraticDevBlog Mar 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,11 @@ cython_debug/
.aws-sam
src.zip

backend.tf
terraform-provider*
.terraform*
*.zip
*.zip

creds

# to prevent a dev from commiting and pushing values that should not be public ;)
assume-role.sh
23 changes: 22 additions & 1 deletion maintainers/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,25 @@ explicitely set between an IAM role and this specific GitHub project
### AWS IAM role and policies

get inspiration from `policies.json` to figure out what permissions need to be
assigned to the Role used by OIDC/GitHub Actions
assigned to the Role used by OIDC/GitHub Actions

## locally

running Terraform locally is also possible to speed up the feedback loop:

(required: have `aws cli`, `tfswitch`, and `pipenv` installed on your local machine)

- get an aws dev-user from us and create an Access key on AWS web console
- configure your aws cli with your these credentials

```bash
# answer interactive prompt

aws config
```

- run homemade [assume-role.sh](assume-role.sh) script to be able to perform actions on aws

```bash
source assume-role.sh
```
38 changes: 38 additions & 0 deletions maintainers/assume-role.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
#!/bin/bash

AWS_ACCOUNT_ID_NUMBER="YOU_AWS_ACCOUNT_ID_NUMBER_HERE"

## execute this script either:
## source assume-role.sh
## or
## . assume-role.sh

unset "AWS_ACCESS_KEY_ID"
unset "AWS_SECRET_ACCESS_KEY"
unset "AWS_SESSION_TOKEN"

# Parse JSON input and extract required values
parse_json() {
local json=$1
local key=$2
local value=$(echo "$json" | jq -r ".$key")
echo "$value"
}

# Read JSON input from command's output
json_input=$(aws sts assume-role --role-arn arn:aws:iam::"${AWS_ACCOUNT_ID_NUMBER}":role/github-action-terraform-oidc --role-session-name "dev-local")

# Extract required values
access_key_id=$(parse_json "$json_input" "Credentials.AccessKeyId")
secret_access_key=$(parse_json "$json_input" "Credentials.SecretAccessKey")
session_token=$(parse_json "$json_input" "Credentials.SessionToken")

# Export values to environment variables
export AWS_ACCESS_KEY_ID="$access_key_id"
export AWS_SECRET_ACCESS_KEY="$secret_access_key"
export AWS_SESSION_TOKEN="$session_token"

# Print exported variables for verification
echo "AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID"
echo "AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY"
echo "AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN"
Loading