⚠️ Protect your credentials!
ℹ️ Refer to offical provider documentation for the latest credential management recommendations and options.
PIPY's v2 release is NOT
maintained by AWS
Instead, install it directly from git or through your package manager.
If v1 is installled it will have the same executable name as v2.
$ sudo pip3 install https://github.com/aws/aws-cli/archive/refs/heads/v2.zip
AWS Access Key and Secret Access Key configuration:
$ aws configure
When creating an application, such as a github action, OpenID connect might be preferred to avoid the use of long-term credentials. This requires an AWS account with IAM permissions.
Setup has 3 main steps:
- Create an IAM identity provider.
- Create an IAM role with permissions/policies and tie it back to the IAM identity provider.
- Note the role's arn and setup an environment for OIDC.
Console setup for Github Actions:
-
Inside of the AWS console, go to
IAM
, thenIdentity Providers
and click onAdd provider
. -
Select
Web Identity
and setup the identity provider, audience, and restrict the role by Organization, Repo or Branch. Step 2 will ask for permissions and permission boundaries, which are skipped here. Make sure to restrict permissions instead of usingAdministratorAccess
which grants all permissions. Fill out step 3, create the role and make note of the role name and role arn.
- The
trust policy
cannot be edited whenWeb Identity
is selected but you can take the json and use it as a base withCustom Trust Policy
. In this case, we will only check if the credentials are valid withaws sts get-caller-identity
from any EnterpriseDB repo or branch.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Principal": {
"Federated": "arn:aws:iam::<ARN_ID>:oidc-provider/token.actions.githubusercontent.com"
},
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": [
"sts.amazonaws.com"
]
},
"StringLike": {
"token.actions.githubusercontent.com:sub": [
"repo:EnterpriseDB/*"
]
}
}
}
]
}
- Go back to the identity provider and assign the role you created.
- OIDC can now be used within a github workflow. This requires some permissions for the token to read/write and the role's arn.
name: Infrastructure
on:
workflow_dispatch:
permissions:
id-token: write
contents: read
jobs:
credentials:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::<ROLE_ARN>:role/<ROLE_NAME>
role-session-name: github-actions
aws-region: us-east-1
- name: Check if AWS credentials are valid
shell: bash
run: aws sts get-caller-identity
- Go back to your role to open or restrict credential permissions and adjust workflow permissions as needed.
#!/bin/bash
# Modify as needed as the script assumes
# - the current user has the necessary permissions to create the role.
# - Minimal role permissions to test the connection with github actions.
# Creates:
# - The OIDC provider
# - A role for use with Github Actions
# https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
set -eou pipefail
FORCE_RECREATE_ROLE=false
ROLE_NAME="EXAMPLE_ACTION_ROLE"
ORGANIZATION="EnterpriseDB"
REPO="SET_TO_REPO_NAME"
IDP_URL="token.actions.githubusercontent.com"
OIDC_THUMBPRINT="6938fd4d98bab03faadb97b34396831e3780aea1"
AUDIENCE="sts.amazonaws.com"
POLICY_FILE="assume-role-policy-document.json"
# Get current accounts ARN ID
echo "Getting ARN ID from current user"
ARN_ID=$(aws sts get-caller-identity | jq -r '.Account')
echo "ARN ID: ${ARN_ID}"
PROVIDER_ARN="arn:aws:iam::${ARN_ID}:oidc-provider/${IDP_URL}"
# Create the OIDC provider
echo "Checking if OIDC provider exists: ${IDP_URL}"
if aws iam list-open-id-connect-providers | grep -q "${PROVIDER_ARN}"
then
echo "OIDC provider already exists"
else
echo "OIDC provider does not exist"
echo "Creating OIDC provider: ${IDP_URL}"
aws iam create-open-id-connect-provider --url "https://${IDP_URL}" \
--thumbprint-list "${OIDC_THUMBPRINT}" \
--client-id-list "${AUDIENCE}"
fi
# Create permissions for the role
# Creating roles doc: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html#roles-creatingrole-identityprovider-cli
# Restrict by organization and repo: repo:OWNER/REPOSITORY:*
# Restrict by organization, repo, and branch: repo:OWNER/REPOSITORY:ref:refs/heads/BRANCH_NAME
# Restrict by repo environment: repo:OWNER/REPOSITORY:environment:NAME
echo "Creating permissions for the role - filename: ${POLICY_FILE}"
cat << EOF > "${POLICY_FILE}"
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Principal": {
"Federated": "arn:aws:iam::${ARN_ID}:oidc-provider/${IDP_URL}"
},
"Condition": {
"StringEquals": {
"${IDP_URL}:aud": [
"${AUDIENCE}"
]
},
"StringLike": {
"token.actions.githubusercontent.com:sub": [
"repo:${ORGANIZATION}/${REPO}:*"
]
}
}
}
]
}
EOF
# Create the role
echo "Creating role: ${ROLE_NAME}"
# Check if the role exists, delete it and recreate it
if [ "${FORCE_RECREATE_ROLE}" = "true" ] || [ "${FORCE_RECREATE_ROLE}" = "1" ] && \
aws iam get-role --role-name "${ROLE_NAME}" > /dev/null 2>&1
then
echo "Role already exists, deleting role: ${ROLE_NAME}"
ROLE_PROFILES=$(aws iam list-instance-profiles-for-role --role-name "${ROLE_NAME}")
ROLE_INLINE_POLICIES=$(aws iam list-role-policies --role-name "${ROLE_NAME}")
ROLE_ATTACHED_POLICIES=$(aws iam list-attached-role-policies --role-name "${ROLE_NAME}")
for profile in $(echo $ROLE_PROFILES | jq -r '.InstanceProfiles[].InstanceProfileName')
do
echo "Deleting instance profile: ${profile}"
aws iam remove-role-from-instance-profile --role-name "${ROLE_NAME}" --instance-profile-name "${profile}"
done
for policy in $(echo $ROLE_INLINE_POLICIES | jq -r '.PolicyNames[]')
do
echo "Deleting role policy: ${policy}"
aws iam delete-role-policy --role-name "${ROLE_NAME}" --policy-name "${policy}"
done
for policy in $(echo $ROLE_ATTACHED_POLICIES | jq -r '.AttachedPolicies[].PolicyArn')
do
echo "Detaching role policy: ${policy}"
aws iam detach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${policy}"
done
aws iam delete-role --role-name "${ROLE_NAME}"
fi
ROLE=$(aws iam create-role --role-name "${ROLE_NAME}" --assume-role-policy-document "file://${POLICY_FILE}")
ROLE_ARN=$(echo $ROLE | jq -r '.Role.Arn')
echo "role-to-assume: ${ROLE_ARN}"
Initialize azure cli and export the subcription id
$ az login --use-device-code
$ export ARM_SUBSCRIPTION_ID=<ACCOUNT_SUBSCRIPTION_ID>
access_token
- expires in 24 hoursrefresh_token
- expires
- 30 days
- when refreshed
- expired refresh_tokens reused
- changes after every refresh with a new access_token
- expires
wget https://raw.githubusercontent.com/EnterpriseDB/cloud-utilities/main/api/get-token.sh
bash get-token.sh
# Visit the biganimal link to activate the device
# ex. Please login to https://auth.biganimal.com/activate?user_code=JWPL-RCXL with your BigAnimal account
# Have you finished the login successfully. (y/n)
# Save the refresh token, if needed
export BA_BEARER_TOKEN=<BEARER_TOKEN>
Refresh the token
bash get-token.sh --refresh <refresh_token>
# Save the new refresh token, if needed again
export BA_BEARER_TOKEN=<access_token>
The CLI currently requires users to visit a link during when using biganimal reset-credential
.
The token directly from the API is preferred to avoid needing to revisit the link.
Initialize GCloud and export project id
$ gcloud init
$ export GOOGLE_PROJECT=<ACCOUNT_PROJECT_ID>