Configure OpenID Connect in AWS#

Available on: Scaleup

Open ID Connect allows your pipelines to access resources in Amazon Web Services (AWS) without the need to store long-lived access credentials in secrets.

In this guide, you will learn how to configure AWS IAM Provider to trust Semaphore OIDC as a federated identity and then to access cloud resources from your Semaphore Pipelines.

Adding Semaphore to AWS as an identity provider#

To connect to Amazon Web Services (AWS) from Semaphore using OpenID Connect, you will need to perform the following steps:

Step 1 - Configure AWS OIDC Identity Provider#

Configure AWS to support OpenID Connect by creating an IAM OIDC identity provider and an IAM role that trusts the provider. See Creating OpenID Connect (OIDC) identity providers.

  • For the provider, set the full URL to your organization. Example: https://{org-name}.semaphoreci.com.
  • For the audience, set the full URL to your organization. Example: https://{org-name}.semaphoreci.com.`

Step 2 - Configuring a role and trust policy#

Configuring a role and trust policy that you will use to access resources on AWS. Follow the documentation on AWS about Creating a role for web identity or OIDC.

Modify the trust policy below to specify which projects and branches can access the resources assigned to this role. Use the StringEquals condition to define a specific project and branch, while the StringLike condition allows for the inclusion of multiple branches:

"Condition": {
  "StringEquals": {
    "{org-name}.semaphoreci.com:aud": "https://{org-name}.semaphoreci.com",
    "{org-name}.semaphoreci.com:sub": "org:{org-name}:project:936a5312-a3b8-4921-8b3f-2cec8baac574:repo:web:ref_type:branch:ref:refs/heads/main"
  },
  "StringLike": {
    "{org-name}.semaphoreci.com:sub":
    "org:{org-name}:project:936a5312-a3b8-4921-8b3f-2cec8baac574:repo:web:ref_type:branch:ref:refs/heads/*",
},
}

Adjust the above policy to match the organization, project, and branch that you want to use to access the resources.

Step 3 - Assume the role in a Semaphore pipeline#

Finally, in your Semaphore pipelines, assume the above role by adding the following commands:

commands:
  - export ROLE_ARN="<>" # the AWS Role ARN you want to assume
  - export SESSION_NAME="semaphore-job-${SEMAPHORE_JOB_ID}"
  - export CREDENTIALS=$(aws sts assume-role-with-web-identity --role-arn $ROLE_ARN --role-session-name $SESSION_NAME --web-identity-token $SEMAPHORE_OIDC_TOKEN)
  - export AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | jq -r '.Credentials.AccessKeyId')
  - export AWS_SESSION_TOKEN=$(echo $CREDENTIALS | jq -r '.Credentials.SessionToken')
  - export AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | jq -r '.Credentials.SecretAccessKey')