CloudBees action: Configure AWS credentials

Configure Amazon Web Services (AWS) Identity and Access Management (IAM) credentials, credential files, and a region for use in CloudBees workflows. This action implements the AWS SDK credential resolution chain and sets configuration and credential files for other CloudBees actions to use. Configuration and credential files are detected by both the AWS SDKs and the AWS CLI for AWS API calls.

Additional information about aws-session-token

Important

CloudBees recommends using this token only when OpenID Connect (OIDC) authentication is not possible.

The aws-session-token is used when temporary session credentials are needed. However, users are encouraged to use OpenID Connect (OIDC) authentication instead, as it simplifies credential management and avoids the need to update session tokens manually. The aws-session-token is best suited for complex workflows where OIDC authentication may not be an option, though OIDC is typically the preferred approach.

If using a long-term IAM user, a session token is not necessary. However, CloudBees recommends using a dedicated AWS IAM user with minimal permissions only when OIDC integration is not possible. For such use cases, an IAM policy similar to the following must be assigned to allow the creation of long-term credentials:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateAccessKey",
        "iam:DeleteAccessKey",
        "iam:UpdateAccessKey",
        "iam:ListAccessKeys"
      ],
      "Resource": "arn:aws:iam::account-id:user/username"
    }
  ]
}

Note	Replace account-id with your AWS account ID and username with the name of the IAM user.

Inputs

Table 1. Input details

Input name	Data type	Required?	Description
aws-access-key-id	String	Yes	The AWS access key ID.
aws-secret-access-key	String	Yes	The AWS secret key.
aws-session-token	String	No	The AWS session token to use. Required for temporary credentials and most common authentication setups.
aws-region	String	Yes	The AWS region.
role-to-assume	String	No	The AWS role to assume.
role-external-id	String	No	The AWS role external ID.
role-duration-seconds	String	No	The AWS role duration, in seconds.
role-session-name	String	No	The AWS role session name.
role-chaining	Boolean	No	Whether there is chaining of the AWS roles. Default value is false, specifying no chaining.
inline-session-policy	JSON	No	The AWS inline role session policy.
managed-session-policy	String	No	The AWS managed role session policy.

Usage examples

Two methods for fetching credentials from AWS are supported: AssumeRole and authenticate as user.

AssumeRole with static IAM credentials in secrets

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
          role-duration-seconds: 1200
          role-session-name: MySessionName

Authenticate as a user with static IAM credentials in secrets

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2

AssumeRole using previous credentials

This is effectively the same as the AssumeRole with static IAM credentials in secrets method above, but allows for more complex use cases that require switching roles.

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2

    # ...

      - name: Configure other AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          aws-region: us-east-2
          role-to-assume: arn:aws:iam::987654321000:role/my-second-role
          role-session-name: MySessionName
          role-chaining: true

Inline session policy

You can use an IAM policy in stringified JSON format as an inline session policy. Code the JSON as either a single line, or formatted.

Single-line JSON:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           inline-session-policy: '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:List*","Resource":"*"}]}'

Formatted JSON:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           inline-session-policy: >-
            {
             "Version": "2012-10-17",
             "Statement": [
              {
               "Sid":"Stmt1",
               "Effect":"Allow",
               "Action":"s3:List*",
               "Resource":"*"
              }
             ]
            }

Managed session policies

You can use Amazon Resource Names (ARNs) of the IAM managed policies as managed session policies. The policies must exist in the same account as the role.

Pass a single managed policy as:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          managed-session-policies: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Pass multiple managed policies as:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
           managed-session-policies: |
            arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
            arn:aws:iam::aws:policy/AmazonS3OutpostsReadOnlyAccess

License

This code is made available under the MIT license.

References

• Learn more about using actions in CloudBees workflows.

• Learn about the CloudBees platform.