diff --git a/README.md b/README.md index 2542a09..af49f2b 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ resources: source: access_key_id: {{aws-access-key}} secret_access_key: {{aws-secret-key}} + aws_role_arn: arn:aws:iam::{{s3_account_id}}:role/{{s3_user}} bucket: {{aws-bucket}} path: [, use to sync to a specific path of the bucket instead of root of bucket] change_dir_to: [] @@ -32,7 +33,7 @@ jobs: ## AWS Credentials -The `access_key_id` and `secret_access_key` are optional and if not provided the EC2 Metadata service will be queried for role based credentials. +The `access_key_id`, `secret_access_key` and `aws_role_arn` are optional and if not provided the EC2 Metadata service will be queried for role based credentials. ## change_dir_to diff --git a/assets/check b/assets/check index fe6980c..c95f77e 100755 --- a/assets/check +++ b/assets/check @@ -8,6 +8,7 @@ set -e payload=`cat` bucket=$(echo "$payload" | jq -r '.source.bucket') prefix="$(echo "$payload" | jq -r '.source.path // ""')" +role=$(echo "$payload" | jq -r '.source.aws_role_arn // empty') # export for `aws` cli AWS_ACCESS_KEY_ID=$(echo "$payload" | jq -r '.source.access_key_id // empty') @@ -18,6 +19,15 @@ AWS_DEFAULT_REGION=$(echo "$payload" | jq -r '.source.region // empty') if [ -n "$AWS_ACCESS_KEY_ID" ] && [ -n "$AWS_SECRET_ACCESS_KEY" ]; then export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY + if [ -n "$role" ]; then + session_name=$(date +%s) + export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \ + $(aws sts assume-role \ + --role-arn $role \ + --role-session-name $session_name \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text)) + fi fi # Export AWS_DEFAULT_REGION if set diff --git a/assets/in b/assets/in index f20410c..44d68a4 100755 --- a/assets/in +++ b/assets/in @@ -19,6 +19,7 @@ payload=`cat` bucket=$(echo "$payload" | jq -r '.source.bucket') path=$(echo "$payload" | jq -r '.source.path // ""') options=$(echo "$payload" | jq -r '.source.options // [] | join(" ")') +role=$(echo "$payload" | jq -r '.source.aws_role_arn // empty') # export for `aws` cli AWS_ACCESS_KEY_ID=$(echo "$payload" | jq -r '.source.access_key_id // empty') @@ -29,6 +30,15 @@ AWS_DEFAULT_REGION=$(echo "$payload" | jq -r '.source.region // empty') if [ -n "$AWS_ACCESS_KEY_ID" ] && [ -n "$AWS_SECRET_ACCESS_KEY" ]; then export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY + if [ -n "$role" ]; then + session_name=$(date +%s) + export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \ + $(aws sts assume-role \ + --role-arn $role \ + --role-session-name $session_name \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text)) + fi fi # Export AWS_DEFAULT_REGION if set diff --git a/assets/out b/assets/out index 14ac646..d523a19 100755 --- a/assets/out +++ b/assets/out @@ -22,6 +22,7 @@ bucket=$(echo "$payload" | jq -r '.source.bucket') path=$(echo "$payload" | jq -r '.source.path // ""') options=$(echo "$payload" | jq -r '.source.options // [] | join(" ")') change_dir_to=$(echo "$payload" | jq -r '.source.change_dir_to // "." ') +role=$(echo "$payload" | jq -r '.source.aws_role_arn // empty') # export for `aws` cli AWS_ACCESS_KEY_ID=$(echo "$payload" | jq -r '.source.access_key_id // empty') @@ -32,6 +33,15 @@ AWS_DEFAULT_REGION=$(echo "$payload" | jq -r '.source.region // empty') if [ -n "$AWS_ACCESS_KEY_ID" ] && [ -n "$AWS_SECRET_ACCESS_KEY" ]; then export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY + if [ -n "$role" ]; then + session_name=$(date +%s) + export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \ + $(aws sts assume-role \ + --role-arn $role \ + --role-session-name $session_name \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text)) + fi fi # re-enable trace since we're done interacting with sensitive values