AWS Role Assumption
complete
K
Kevin
grebols wrote:
It would be nice to be able to replace the hardcoded and long lived AWS credentials you’re currently offering for access AWS APIs with the ability to assume a cross-account role with STS? for an example how datadog did it:
CCI-I-709
Nathan Fish
complete
Nathan Fish
This was released and you can learn more about it here https://circleci.com/docs/2.0/openid-connect-tokens/.
-
The docs don't mention how to assume a role using the CIRCLE_OIDC_TOKEN in a given context. For example github documents this a lot better: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
Github as a specific action for authenticating with AWS. Is this something (an orb?) that circle ci is considering as well? Or maybe some documentation?
Liya Ai
Merged in a post:
Provide OIDC tokens to workflow runs
B
Ben Drucker
Many cloud compute providers are adding support for OIDC for supporting cross-vendor workloads and I'd love to see CircleCI join in. OIDC enables federation of credentials/identity from one provider to another. Rather than require that a user supply static credentials, OIDC allows them to exchange a short-lived credential injected by the platform with the remote service. That credential embeds information about the identity of a workload. In git, that identity information might include the organization/repo name and the branch/ref.
This makes it easy to author fine grained access policies for specific repos and ensures that long-lived credentials aren't exposed to CI workloads.
OIDC is supported by GitHub Actions and GitLab CI/CD:
FWIW, this loosely relates to the newly announced IP range feature: https://circleci.com/blog/ip-ranges-better-security/
OIDC addresses underlying security issues directly (long lived credentials, potentially shared via contexts). IP ranges introduce an additional layer of security (network perimeter) to help make those weaknesses harder to exploit without actually fixing them.
B
Ben Drucker
Looks like there's an existing post where the discussion led to OIDC:
Feel free to merge this into that existing discussion.
Nathan Fish
AWS Role Assumption is coming very soon. We planned to release at the end of January but that was delayed. We have some additional work we want to complete before releasing to make the solution compatible with other platforms like Google Cloud and Vault. We are targeting end of February for release.
F
Francois Proulx
Nathan Fish: Looking forward to the announcement !!!
C
Calvin Huang
Nathan Fish: is there an updated estimate for the release date?
A
Abury Bury
Nathan Fish: Any word on this? Late Feb has come and gone and still no update, this is pretty critical.
Nathan Fish
Abury Bury: Yes, we found a couple issues we want to address to ensure the solution works for GCP and vault. Finishing up that work and expect to release before the end of the month! Sorry for the delay.
FYI Calvin Huang
A
Abury Bury
Nathan Fish: Never mind my comments, looks like this is up and running. Amazing!
Matthieu Paret
GItlab CI support this now also https://docs.gitlab.com/ee/ci/cloud_services/aws/
M
Michael Poutre
Would be great to at least see some sort of response here. GitHub actions has a huge advantage here now
M
Michael Warkentin
This launched for Github Actions a few weeks back:
B
Barry Mulling
We're seriously considering taking our entire account away from CircleCI and going to Github Actions specifically due to the lack of this functionality.
Just giving some perspective about how important this feature is to us.
E
Elliot Anderson
It looks like external OIDC Federation is about to be announced (see: https://awsteele.com/blog/2021/09/15/aws-federation-comes-to-github-actions.html). Is this something on the radar for CircleCI to adopt?
Matt Button
Elliot Anderson: +1 this - having access to signed tokens like this would make it so much easier for our circleci builds to authenticate with other custom/third party tools we use.
Mitchell Hashimoto was tweeting about how HashiCorp's Vault project could integrate with the new Github OIDC tokens to generate credentials/fetch secrets for any platform Vault supports. It seems like the same could apply to circleci if something similar was implemented here.
Andrea Riva
Elliot Anderson: +1, external OIDC federation may be useful also for other Cloud providers, such as Google Cloud (with Workload Identity Federation: https://cloud.google.com/iam/docs/workload-identity-federation).
Here is how GitHub Actions allows to do that: https://github.com/google-github-actions/auth
Load More
→